23542300x800000000000000082863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:15.444{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59355BF8C10CAC955D1BA3CB80D2FD00,SHA256=2BA78121392A38AD5FFD0A6410F072038137398CDCA4C00BCB558CAE063ABDB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.184{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2416BC690EFFC29790CF8C9AA2A5F67,SHA256=B42F27EBC091EC39240395A783569AD88FCD4F780F6326594E7A3B9F8533CB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.028{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.028{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.028{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.028{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:16.538{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10A2480B576947115ECAEC6CBA2F6C2,SHA256=2AC6AEE35DCBAD12F06A42EA0734D85EC8C68E30F46C9B5EDE130887F6BC5B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.278{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96633557F31893703A949A65367E3E43,SHA256=845FDEDF7EFBE89123FF5FE8364462B9408A9CD7B9D0C670A95C0AC5B3890A81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.262{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.262{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.262{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.215{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:16.215{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000082864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:13.387{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50055-false10.0.1.12-8000- 23542300x800000000000000082866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:17.631{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C324768248CCA4FDA5B5173CB92EE001,SHA256=4E48DD64720535FE5A5C41897E66748EF299236D2B3054B939B6F9A1A50070CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.840{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.778{F81F30E6-0B10-62E1-1500-000000007202}12241996C:\Windows\system32\svchost.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.778{F81F30E6-0B10-62E1-1500-000000007202}12241268C:\Windows\system32\svchost.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.747{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.731{F81F30E6-0FDD-62E1-7105-000000007202}2148916C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888C35D3C) 10341000x8000000000000000330847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.700{F81F30E6-0FDD-62E1-7105-000000007202}21485836C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000330846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.684{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.684{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BEA17B) 10341000x8000000000000000330841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000330838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}2148916C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDAAA9) 10341000x8000000000000000330837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.668{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B59-62E1-8100-000000007202}29602952C:\Windows\system32\csrss.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0FDD-62E1-7105-000000007202}21486108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.659{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000330825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.653{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:17.262{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CF6DBDFDECC06110FC454FC8CBC109,SHA256=00FF5629F40A551BB2EA9F8986C3E52CC7B0D05B7EBB014491B283BA8DB69FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:18.725{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BF76D25A0B2C7A4BB5CE7F757F7B33,SHA256=D548C2217F0FA10AD2CF8EBD3B3176FB192A4372EBFB907861C87CF5B682EEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.859{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE1FFB74B3C597881E62C9DE8DD12A11,SHA256=9D6A2C0F7E0A87B91274187D61510FCE85AEFB7D06F25853D5E40C6FE9FB761C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.724{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDEF965E244C8EAA7C8107543FA2CE5A,SHA256=21F8216FD7BDA39AAEB73E11C216A7C1D4BAB6B1F1860576928D9AA88A1A1C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.686{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C74D3D3E1797E9DC854E0ED0F3867EA,SHA256=73C326B43AC53D1EDA919F24BE93346ED99658580D2ED6BD376248F34450896B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.418{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.418{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:18.356{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:19.819{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C34F8998D48F4A5CB6E4B32D7BB65B,SHA256=D536211D183B77B5958D685B13BD3DF8AAEE84D3DB8675F198149222711C38C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:19.440{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33125697B03B674688935E7F7F92DAB,SHA256=5EB0AA394C0592B51AEE1C0F13753101D7995853960B7BD3706DFCD0F5C7604F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:15.756{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50224-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000330859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:19.269{F81F30E6-0B0F-62E1-0D00-000000007202}9202916C:\Windows\system32\svchost.exe{F81F30E6-0B5B-62E1-8700-000000007202}4112C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:20.913{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8B8AFA160C006D28E95EDD5E429B0F,SHA256=C253F9744D5FA70D134AD56D56FF1E52B9394CAB77C045AC03BC7E93DC3E6D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:20.534{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B05EC3539BFC6DC95034441737BCF7E,SHA256=6F6310E6BB5B552D42F2622F1D183D2729E47B7AB47526E17DB5DEA5EA0DFD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:21.677{F81F30E6-0B0F-62E1-1100-000000007202}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B5D3535DC60D39D2E020678990030F0,SHA256=DFA43A416E8DBA7EC35221B3B7EEE0B4D7F9CB19A57B9826B21D78231C0A0215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:21.630{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555058AD65A3D0AC3166BBD55108F14E,SHA256=10B70456F4E902367A8450664FCBBE66998F57F15802B51B727DE114D35C5B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:21.538{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220727095336-029MD5=99DFBF69F36DC84C9E4F055F96F6DBEE,SHA256=5A6F241667B5803E3B22FA8E48F54177002A808F58B64D76EA864214BBAFB413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:21.475{53069400-0B10-62E1-1100-000000007202}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A4B5F78DF028EF0C8861B9FA01E6EE5C,SHA256=764AC2A754A4A68C120A5680BC22CE064716FD463B01026C4245ABFF5E24F6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:21.381{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:22.613{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B1CA629F512F05DB02ACF08833EB5D,SHA256=A40E259522B6DFC49151AD26A62A57049F10FE424A4710EBE077F36CB5746076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:19.388{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50056-false10.0.1.12-8000- 23542300x800000000000000082872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:22.006{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A44AD8FABB496F57989C4DEB2E2329A,SHA256=AA2A4BBB1E5260C577E46F8CA2B1AE92A191B9742C3F637F4B9167C15A23DC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:22.537{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220727095334-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:22.114{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 23542300x8000000000000000330869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:23.710{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122DDDC726D33E5E70021014CB3F9DA9,SHA256=4311605BDE2374D7F3935DBA14ECB0892C650B849BC70253E16B9E30DD4B387D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:20.637{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50057-false10.0.1.12-8089- 23542300x800000000000000082874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:23.100{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEBE167587DE2855BC31F28AA20CF77,SHA256=D1B64FAFC269DC3819A09F3AFB284F13D52767ED2A70C5D3E0B54CA9A9DABA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:24.913{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0202F48C8A53CD8BE2F55F04DC8BC6D,SHA256=185DDA9459635F450A7C43BCEB85F646F1A461309ACEB5C6C33F24F1C75B5523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:24.194{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06034644B2295C3792CC117B7143155B,SHA256=A915546E3911E21764B1E2D86F4E47DE0CF2A154CFDEE3E5730E0BBE49B7CCB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:21.626{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50225-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:25.288{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6CECB9EAE336AF527F68C3ACE9D5B6,SHA256=7DEE4D6A005F2668D1398E0578C8B67417A2320DC84A037716D22436F74A085C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:26.381{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F9313735588877A2B367C33729F4D8,SHA256=145D1A11DDE0DC768ED7197DFCA6055836BF23AE9E087F3A1AA04FD3A1DDE8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:26.006{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8219829473DD63FDE8DEE86FE36A317,SHA256=BD9AC92BDB2993A4EC7705570CAAED3DD5D5FDE23B054E1049E8B6466C4EA5E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:25.387{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50058-false10.0.1.12-8000- 23542300x800000000000000082879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:27.475{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B21D2603BCF2BB1CC0AB8E3563A8CA,SHA256=BDD608D6C4956C40D5C6C7F3EEDA7CB0020B9E225BE2C9E111A6765766186A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:27.100{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78517E6E6D47338619B31885C2C9639,SHA256=112A47B0F00D9EDB64B8A40D59A4AD8CF1CFC160BD59FC099B8D15D1A15C0060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:28.569{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C46381D0E90C9C1790CAE485FE7F3F,SHA256=E784A624CFF788DEE147A329E34F585B3C858C564A175A44D35BA3BD4B56034C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:28.288{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-1251-62E1-C005-000000007202}2608C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:28.194{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928FACA35F9F7CE979F4C9226A6214AD,SHA256=7467918612A9BAFB2B8E53D9391684785CAA979E498FA1A98394793F1567AB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:29.663{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A46E0BFBD7DCE3CB9D4DB027BDB7B8E,SHA256=252BFB9ACFF37026BFDD90929768C6EDEF34F55DD8732103A2B058086856B3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:29.397{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212190D95991ECE1AE310568FC0816D8,SHA256=7E21F564D2FE38F2BF40A9D8D8C3330C0ED3063261E898E49343FCDE9F8EB57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:30.756{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F132C011FF03DE9BA0803E5596FBB274,SHA256=A7549D074240F158630765B0711CAE7C8EA1137F586517F1049960645FBD2F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:30.491{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8340067F224F41345E8576A365BD22D,SHA256=737EBB01E918436F8572BB7C39A5A3795FE803918EEF06F71D8BA18515021A54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:26.766{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50226-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 22542200x8000000000000000330877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:26.869{F81F30E6-1251-62E1-C005-000000007202}2608datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 23542300x800000000000000082884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:31.850{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BCC070480BB17F41B658EBA41A79E8,SHA256=789775976D31DF3225266BA30233EB03C8C608F952C59F162F3A29654E49D610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:31.584{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6695D6A3893610F58C6B8414395E787D,SHA256=ABED7DF8935AEF907E92ABFB8AADFAABD4027316797136841244CC43C1971F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:32.944{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E708CF755709ED21B9A7EAD8CCF11B1,SHA256=6930BD612FF16B63BBDCE98B7603EBB1C36D6AFA1033D55B1D05C46F45B43F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:32.678{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAB41112A4653F963C5C7DDC7E8EA8B,SHA256=409F47817110E1D54D45DCA7D689C0F5769DF6F15ECBA6B609817236578D13BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:32.037{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:32.037{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:33.772{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADF679BFD4DD24196E75C3B5D771459,SHA256=6AA053FC7212B5CCE3437F3A907FF5301FB6B214EAEED8708BE087D8F33789AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:34.865{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B9D8EC5BF53A691812B7F490255059,SHA256=AC5E3440B5FAF57F82C2A90A80FEF8D2271A7DB303943E0AB69D2DF12C113F4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1262-62E1-5F01-000000007202}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1262-62E1-5F01-000000007202}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.725{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1262-62E1-5F01-000000007202}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.726{53069400-1262-62E1-5F01-000000007202}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:31.356{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50059-false10.0.1.12-8000- 23542300x800000000000000082886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:34.038{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E5CAA663320979E27E6ED49C1F64E7,SHA256=0AAE2BF765B84670E29D0DEB3A27DC65A5791C36656AF383D36D16C407C9E6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:35.959{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AE9C997B22E8344582E08EA58022E1,SHA256=7E7F49EEC640E9986A91DA57251C220CE70DDB1C9FAE2CAB6A1FB50D3871B6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.756{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A23DED2E88435C68EB5204895DF16C0A,SHA256=E553EA11EB8D04B0F1E2D07AC1468A89DE170BA1FB9829270DA4AFB414F0C382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.725{53069400-1263-62E1-6001-000000007202}26321868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1263-62E1-6001-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1263-62E1-6001-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.522{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1263-62E1-6001-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.523{53069400-1263-62E1-6001-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:35.131{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75354BC55D4085FED194680120E84154,SHA256=E9652FBBA5B698DC043E29ACBAC3456D53B01F0FEA7A198784119A8ADA65A003,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:32.625{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50229-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000082931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1264-62E1-6101-000000007202}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-1264-62E1-6101-000000007202}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.725{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1264-62E1-6101-000000007202}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.726{53069400-1264-62E1-6101-000000007202}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.350{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B5B80846ED8DFDB46F1AEE6853095A80,SHA256=37B759B613F18561F48534F94FA75E90DAF2288695EE85917355BDB87EA7F2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:36.225{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F06CC0520508667FD0A472A839FB7,SHA256=3DBB2B57C991CEDC2CF2AA7A1D3F7AD01F9F1E7FC74F93B25BB89FFB75ACC091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:37.319{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FF4AFD94101F6DE11519FAC2EC269A,SHA256=37B27D7C19DE811384AA8FA1D5C71E5148EBAE78C1D557BC99F7AEA413AAE7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:37.053{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B98FB7EBDAE757D825A702EBADCF1AF,SHA256=2A9B83A625F1517BC418D8DFDDAF28C2F50452BC107F25F408282326FC621242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.788{53069400-1266-62E1-6201-000000007202}39722064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1266-62E1-6201-000000007202}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1266-62E1-6201-000000007202}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.522{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1266-62E1-6201-000000007202}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.523{53069400-1266-62E1-6201-000000007202}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:38.413{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6495397A1FEAAF31343A0F5CF1B40C0,SHA256=CA55DA5A27453991E2B33DBF56821622A426A003611BB62AAE5CB0E2D02021D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:38.324{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E3899E0312B9A40308029A8FD15720,SHA256=8F1B2DD82E25AFF6E41973CC012EFD00BF26402F85E3D60912C229619916F95E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.913{53069400-1267-62E1-6401-000000007202}34163700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1267-62E1-6401-000000007202}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-1267-62E1-6401-000000007202}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.725{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1267-62E1-6401-000000007202}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.726{53069400-1267-62E1-6401-000000007202}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.663{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0502F3998C8D928B539CC8004B7F944E,SHA256=982D6BF320934730DBE217B822F87B537F3EBB9D3B613CA3754FDC1253CB52B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:39.418{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C540FFB3575BD0FC166E4672FCE0E1,SHA256=AB1D7AA16CC2611B9313F4DFCEEAB2972EC4DB2C1A76B63C274CB2FBC0A14B84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.366{53069400-1267-62E1-6301-000000007202}36361460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1267-62E1-6301-000000007202}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-1267-62E1-6301-000000007202}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.194{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1267-62E1-6301-000000007202}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:39.195{53069400-1267-62E1-6301-000000007202}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:40.803{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A99E2D6BC599D686FC486E63D50EE14,SHA256=5196C672C543112DC66887059249FC92ED8DDB3357F5E831D30DF71D74FEC1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:40.725{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B15AB8E34E212EDAE0DC3BB8D140A,SHA256=390D8A0E89DC8393F481DF9E2C53EA42F817DC7E063CC6FCE9DCCE0979B5EC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:40.512{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490B6DDC02C51500C4F7BBD3B28E6307,SHA256=96F2BED268DCDAEFE877028B9889260C15ADF2C88913DE71F34608F11B47CB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:37.372{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50060-false10.0.1.12-8000- 23542300x800000000000000082993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.835{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC991D85777E1E991075911010A1EB7,SHA256=8A3D610B56FF1D5AE55B88AA0995223B8F94081E992E3ACF14F54B8D6112FADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:37.803{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50230-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:41.605{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F1C0DC1E2C7CB5001833176BAFC8D2,SHA256=4729E0F2E339068DE93981FB9340D3D78A2923D81373FD253DF9C802369C861C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1269-62E1-6501-000000007202}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-1269-62E1-6501-000000007202}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.725{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1269-62E1-6501-000000007202}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:41.726{53069400-1269-62E1-6501-000000007202}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:42.928{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED83BC5F23D282BCDB67C72832876C0F,SHA256=29101A9EFAB5F58324C0223D3F481428CFCE5445CD9C0FB5E78D88E870E3701B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:42.699{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEE252D8F2FD02286BFD6CEB8C5286A,SHA256=F0F53CC8F4B73209B369A059DA47698D014FB043C6B208BF9BA18B44FF60DF36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:42.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:42.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:42.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:42.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.824{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.824{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.824{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.793{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DBCDB0166492C325C9702FA7FC305A,SHA256=7C7C46CDFBC333A4E0B637BF7D28E47EF064BC84B72C5219CCE9A1D815DCE645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.777{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.777{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.949{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.933{F81F30E6-0FDD-62E1-7105-000000007202}21485252C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888C35D3C) 23542300x8000000000000000330931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.902{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5C5A9664FAD3A5E7A23E12B19D62EF,SHA256=1B45844A81CB1D225CCA1BF90369E7A30DA7EBD0E7C11698C47D0A6C12401120,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.902{F81F30E6-0FDD-62E1-7105-000000007202}21485836C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000330929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.886{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.886{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BEA17B) 10341000x8000000000000000330924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000330922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000330921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21485252C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDAAA9) 10341000x8000000000000000330920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.871{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B59-62E1-8100-000000007202}29602952C:\Windows\system32\csrss.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0FDD-62E1-7105-000000007202}21483108C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.858{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000330908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.855{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.840{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.840{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.840{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:44.022{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3C8BAB0E5FC98BD7F427789B5EE37,SHA256=AC4BB7CD956E61318F1658955E70BBC254D1506FD0A0B6B676DCB3C38E70155C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.918{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC70F31D813D879087A28072DDC33EFF,SHA256=E1EC0FD11A6FBF747FEC59785752D6705A85FDE3E29F3B5C5007F671984F1D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:43.356{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50061-false10.0.1.12-8000- 23542300x800000000000000082996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:45.116{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB0D9E9AFE862DB715E2390D0CFB624,SHA256=016F3FE4F12AD388F29BF366239ECEA736DED271F948616602B813EED6C16959,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.761{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.761{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.715{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.668{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.668{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.090{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.027{F81F30E6-0B10-62E1-1500-000000007202}12241996C:\Windows\system32\svchost.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:45.027{F81F30E6-0B10-62E1-1500-000000007202}12241268C:\Windows\system32\svchost.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:46.209{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B820AAF6B83FA2A2C382BCE4B4A3C6,SHA256=4FF2E2BB1BE23DA394A738C4B9C4B8C2EAB323B8C276855EFACD89FC8090B3FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:43.694{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:46.215{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:46.027{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F02DBBAF9B9E5908F2ED3794AC48EE,SHA256=C7EA27F8F2DDCA6DA4D331FCFBCE352BBF2DF552D592CAEA84B93D7A4F7FB8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:47.303{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E994D81AE04721571720E0F600FB6AA,SHA256=7A6D6D4F29FFA23D80E0B8D76D1106717DEB600FD52ACEA108884014BDF4CBE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.824{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.824{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.824{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.824{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-126F-62E1-C205-000000007202}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-126F-62E1-C205-000000007202}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.558{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-126F-62E1-C205-000000007202}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.559{F81F30E6-126F-62E1-C205-000000007202}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:47.011{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F4CDDE0B4EDC9C56F8E9E4BC9BDFD6,SHA256=08D6F9BDBEAD375636DA404384A6DCBA8426D0BA8F8B8B27502D8278970FDF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:48.397{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E88605E26C21219AD419624CACEB704,SHA256=29DBA8004DB4D445477B41E35825E63D80298B88A7CAFCF1910EEB3F76E5674B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:44.741{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50232-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000330968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.418{F81F30E6-1270-62E1-C305-000000007202}52921308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1270-62E1-C305-000000007202}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-1270-62E1-C305-000000007202}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.230{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1270-62E1-C305-000000007202}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.231{F81F30E6-1270-62E1-C305-000000007202}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.105{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372F66BC61F0134C9F012CF260A8982E,SHA256=9FBB9B72383C94DFC02DD65A292FF883E30C7FD72B11C3F07D00375B28AAC830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:49.491{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF496648A9529DB10C198096E652AC84,SHA256=9DEF00C70DD43907BE7D5A4FFEBAB7B3F2E8FE010D16AE11C922635CDB45972E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1271-62E1-C405-000000007202}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1271-62E1-C405-000000007202}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.277{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1271-62E1-C405-000000007202}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.278{F81F30E6-1271-62E1-C405-000000007202}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.199{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BB3D6F0812477E8E7DEE4BBE292950,SHA256=B2A28E973D13DCAAE0C0A1851A3D1EBFAAAEF0366D0760810A4C9B64BAC0EA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:49.152{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7DB7F16480D541BE555F4A18678839D7,SHA256=3BBCB1DB48049DF90454E5CBB5800CBE43565BBEAE79266E08BC10DF7B808670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:50.584{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB0636F183CF90CF5BA35D7E29EFB84,SHA256=0DCE80F70A68EC4DBE0EE04657C167A488AD1021051FECD3FCCC8EFD3186F26E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:50.339{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 23542300x8000000000000000330980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:50.292{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4504014354E555671F7790716467E2A,SHA256=B3366F256BF1D6BA8059CA2D69DC9CB18231D9F6A8DD1C1A41073B2AA3970015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:48.387{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50062-false10.0.1.12-8000- 23542300x800000000000000083004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:51.788{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8181F4CEFE27D1FA1911523E7547660,SHA256=679912622DC3F79AC52ECDCBED0683E684A26BE84B74E7A54F2DF4FDB81A2E52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.777{F81F30E6-1273-62E1-C505-000000007202}35722980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1273-62E1-C505-000000007202}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1273-62E1-C505-000000007202}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.558{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1273-62E1-C505-000000007202}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.559{F81F30E6-1273-62E1-C505-000000007202}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:51.386{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C60636329C58FFE4F58CD0807A56611,SHA256=4260777988E3B8AA4BBB3585B647D0D4F6415290A3CEDD0559CDA41C6164EF87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.069{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50233-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000330982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.069{F81F30E6-0B1D-62E1-2900-000000007202}2560C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50233-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000083005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:52.881{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4AEC0B20AE423FBB78BB31D70C0471,SHA256=ED8AB72E5A5C226600EB84DAC56AF4D54454139125F1595702148F2A2ACEC87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.589{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D29AF9773228CFD977C6E2C05122032,SHA256=E8A2AFD854B2C9A4A69681F45114DBEB82FDA149E9D6AC5BAB533AFF64899657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.480{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477A4AB8988077FEA4D635536CB345CB,SHA256=88DB6B8376AEF7A604A67290426A6956DC7CE86504C70BC99E6BACE988A4BC3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.214{F81F30E6-1274-62E1-C605-000000007202}51605636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:48.709{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50234-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000331001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1274-62E1-C605-000000007202}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-1274-62E1-C605-000000007202}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.058{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1274-62E1-C605-000000007202}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.059{F81F30E6-1274-62E1-C605-000000007202}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:53.975{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C83411793D90EFBC3EFBC25F9E3A49,SHA256=1EB543A1B99A50471209877E4BA8A3CE1EBDA28AA5A68B5B4A49AFAC80343ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:53.589{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-126C-62E1-C105-000000007202}2796C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:53.574{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2480D92FF7EEA833342F8FEC7A996D6,SHA256=3E5478EA19733BCD2DD6333BEEBE1F2A75DD9881C45418E8CDC74643D8F97AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:53.308{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:53.308{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:54.667{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B472D21ED265D672DF1A0D6273BC5C2B,SHA256=E0B4C7F897B9F3095CCA57B43CAFC5855B20D78E74238B559BFDF35F4027CAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:55.761{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710284F3DA285FD6465D5CBFFB4166B6,SHA256=3B385A301823A780AF8351BE6216BE221232FEB3466B51EFA0297251BCE9BB5E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000331011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:52.181{F81F30E6-126C-62E1-C105-000000007202}2796datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 23542300x800000000000000083007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:55.069{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC90C56E0F272D3475C8782BD3235298,SHA256=C26C4B1F4ADBCF40735372338A6DC67D9FA88AAD7DD79B8534814E17D6B10044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:56.964{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174DD2BAB023DE72EBF126CA0F5E9524,SHA256=2044054AD1E19470E28AB54849B3708CDAC1A717638425A15F031D1FCA3668FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:54.419{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50063-false10.0.1.12-8000- 23542300x800000000000000083008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:56.163{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46621323F8069C63DFDB39A5BD986486,SHA256=4E90FC4518D93FD88A94116DB04297AD447485373C8D195D112621D6615631A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:57.256{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5B6969C2BAB256C358EECE85795A14,SHA256=67FB918FD751AB58D8224854BFA6C9479CBD3227267237226F1973E18E9A6316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.495{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.495{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.480{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.480{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.448{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.448{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.417{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.417{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.401{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:57.401{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:53.725{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50237-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:58.350{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D457AE5051059F6927A481C4A6A96A4,SHA256=5AE6FC18ADD0A79F6F3C0FE1224C72A0CB340707425E52A537A64DBB4F54726F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:58.276{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB90D43322D22FD4CC257946BDE7E72A,SHA256=401AD9855F29A6D5E07DDEC091A617F95E822D72C13A008EFCAD83C117E4CA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:24:59.444{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6516229C93303BBE76F4E8549390CD2,SHA256=DE6107BDB73EE0FBD5EDE8C3D3C4126C8B5815BA255B05A146E89BDE0F2BEA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.558{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C46A8CDEDA42FAB8299768289F57A0,SHA256=99F92C5E575D0F2DE088C3B5136258146A12CBC72D29522F5815E50978E4F5C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.401{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.401{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.276{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:00.538{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705967EC0C2DF3F2391856460B5D33FC,SHA256=ECCE0F6D0CE138B585CA044C0E1648CB8562EB4C0F1F04B16E9CA1D3027D4F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:00.479{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64679E53C098F4CCF72ADBCA49951AD6,SHA256=27FD2E44707F97E7AF43A85731D4212176A597FB86EAA35A2AD37457C82FE1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:01.631{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0197EB3CDA7208543690FAE7D34C3E,SHA256=F933D5DDC8FF0094C20375CF7666180B8501E7EE7921BB4D911C15EB64DB2F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:01.573{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80248EB830D15CF79AE7411FAC1D7113,SHA256=CA1A9C2676ECE550EDE7C61B3AAFF33251F86AA962C803DE463353E07B51A13E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:01.292{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:01.292{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:02.725{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCE4789190916C1C4E00E1E86531322,SHA256=22B19D186DCE4F1D9E88EF94EC7D0AAB24007CCEA8AA4084198FD5485C8678C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:02.667{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4DA3398070A8DA8F29CC862B2F1A0F,SHA256=629D88FA6AF8C1A08A8081D070071732A0D0608BFE1FD41224CCC371F05A082D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:24:59.694{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50238-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:03.760{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B390926F411CE075E7C21E4987BE3D,SHA256=65B3AB54CBB61B788B240D23DD36CB89C4838B85ED33DD2CB61D4592E3AFEB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:03.819{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4889D7C58D3F40974C545E31BF1FCA34,SHA256=141800ECF2CA22738D1718EC874C3B1F65B132A10E5135902376E70CD64275FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:04.854{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F44634F6679FABA76A4BBA98C3D572F,SHA256=2B7C3621781D54D4CE9E9E6E7D1450FFDE361928B81CA696C42915BE6220D734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:04.913{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6A3E89B10BD96E299A23D12B93F94E,SHA256=E6AB4A8DFA65895139EE177A8F4CA57E0D7542966458E30BFC25AB5206BBBB7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:00.340{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50064-false10.0.1.12-8000- 23542300x8000000000000000331070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:05.948{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD4997CE17C063BED349E111C4E26F2,SHA256=CD0BA231AC5FA5247B51AA288BBAACFCC2D433362D7EF87D17CBCB561471214E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:06.600{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FB32F1A1BA11154AFD3DC85F97414E94,SHA256=96698B2947F95B35F285FF04C00C2BBB9FCB9E1838CA19031B876CB17F96F39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:06.006{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2CD0F38828620AF49A3127DA311326,SHA256=75F2DE170AA16E2603915014A2F8273E47D3C0757FD6B55AFA674D9C7775EF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:07.100{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB7014EAEACE438D228D61B71900DED,SHA256=5203CB2F04BDA9C9D73ED48B3CD8A88B1095E943D7479E109BFFBDC5F4CE07CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:07.041{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6856E2B5BD30C3C3FF0F722F79722A21,SHA256=63FB7DB09521B4C28C8B48CA19E8629DED5E3214064F4BA704F2F6E759B05783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:08.194{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B43E6467FD3B8EF83412D0815639BC,SHA256=885A0014B7B0533002091984F0329CCE9F3753943C8C0F08796BAC2EDA02F5C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:05.356{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50065-false10.0.1.12-8000- 354300x8000000000000000331073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:05.693{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50239-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:08.135{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3EC87A675464E7036EC1097312068C,SHA256=E7CCDFDFC551BCD55CBA205D399FD22D16158521586F86E92A559109BF37E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:09.288{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED62687283FA1FAC2B57BAD2C9D7E7B,SHA256=4F0970EF37FAC0DE05136F21EE2CC87A4339740AE616D6DBC54FCAA1098948CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.229{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DF33707570F65990040C9989C01B87,SHA256=4BE97BC2C4C4131E45BFF20FCAD720E6819F6F1A3EF8DC32EF428C21751C606D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.213{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.213{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.213{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.166{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:09.166{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:10.382{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A74F7DC5FEDC0A8F734707DB0CDD3B,SHA256=4C57B35B394A493C2A2E3A2746739F5FCBDA9194C66A8A5A2CC027AEAB0C7BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.651{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.572{F81F30E6-0B10-62E1-1500-000000007202}12241996C:\Windows\system32\svchost.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.572{F81F30E6-0B10-62E1-1500-000000007202}12241268C:\Windows\system32\svchost.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.541{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.526{F81F30E6-0FDD-62E1-7105-000000007202}21485164C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888C35D3C) 10341000x8000000000000000331106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.510{F81F30E6-0FDD-62E1-7105-000000007202}21485836C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000331105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.463{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.463{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BEA17B) 10341000x8000000000000000331100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDF36B) 10341000x8000000000000000331098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21484508C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDDFD6) 10341000x8000000000000000331097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21485164C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF888BDAAA9) 10341000x8000000000000000331096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.448{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B59-62E1-8100-000000007202}2960884C:\Windows\system32\csrss.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0FDD-62E1-7105-000000007202}21485196C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.425{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000331084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.416{F81F30E6-0B5C-62E1-9000-000000007202}45884744C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.213{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE31E8EB08E4F560C7CDC1A8E9163F2,SHA256=95F7B6D3FF56FA9040C073D4E4EE37E4BEC5BEBE7A261FCC11A058C583FBC20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:10.010{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220727095323-030MD5=01981A41A7FA64D01C3A36AB72844534,SHA256=A596D5DA65530F5A35DD48212239B05D1A6D10867138ED42410A832D159D4E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:11.459{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EC252486877B59E5FED347F25961BF,SHA256=6918B0BFAEA713D4AE1613869B34387B427F8CC44B5AE2EDA0A0D25247C6F1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:11.588{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F80E8EBDD7100EC1BBD5C882E24B4600,SHA256=BB3CFD9532CD64BF1935D32B8470BEDCFF3D94C89E1E71BF0463AC8F4A82C44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:11.588{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AB96C252BAB6AAF1DDA378BD087E61,SHA256=4D7DB00206D56581C5E08ECF0281291FD1D4E44E05389F4400D650583FD05FCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:11.260{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:11.260{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:11.024{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220727095321-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:11.229{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:12.555{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DE1F91FF5EBE1EE0266090779C1EB5,SHA256=0464F5F1D28AC0E23337763141E8A595B628BBA9A34A1FA1391AA97686931FC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:12.572{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:12.572{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:12.338{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C4DB507F799E6363C7CBF1DDB3959C,SHA256=B1270CF62FA4CC9F632D2EFFAC7C818F2B6663B1B8C0FAB571338A7282B4F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:13.648{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F83EC2DEA489D168F3AEF26799ABF7,SHA256=25B20432941F9F9A237383AAF34C601DF02D0AF4A6EBE0F5B91271B16805EE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1289-62E1-C805-000000007202}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-1289-62E1-C805-000000007202}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.869{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1289-62E1-C805-000000007202}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.870{F81F30E6-1289-62E1-C805-000000007202}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:13.432{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD394B6299B7AA08F5E39D9F49EDCE6,SHA256=493EF755FCC52960EF369C877F5F24DE8181AA348EEE60BA6D7C9B9E72051312,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:10.465{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50066-false10.0.1.12-8000- 23542300x800000000000000083032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:14.742{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07BA69505920D07F3BE956D79410141,SHA256=3B31131B8E0267EDDA00B3B80C82048D06C99FC6CA37FBCE7E7F990AEF699ED5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-128A-62E1-C905-000000007202}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-128A-62E1-C905-000000007202}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.541{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-128A-62E1-C905-000000007202}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.542{F81F30E6-128A-62E1-C905-000000007202}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.525{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C04AB18D05FB6601DD6410C257E17C,SHA256=0D8CA32288618CADD8EC8A5D91B4CAB5276D84CBF2D405B35C278556C0FE3AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:10.725{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50240-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000331129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:14.057{F81F30E6-1289-62E1-C805-000000007202}12405972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:15.836{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8655EAF40EC5F9850C8E806B3A44889,SHA256=8BEC96DCF2816808E49A0020F116B5ABFF82DC800331DF624C8BDC8882964298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:15.619{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AAFAF2C0798B967151A6C7CC1D90EF,SHA256=87D01BB91A12E7D1B6B5F8ED6F521A34F032C1B18F6570E616133CE63CE97DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:16.930{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0836B2173B687AC63D2F62E836AB0105,SHA256=F2EACC6ABB74C275BEE05FE5313B03EE50D1C2A64CBB41D11784CF375433274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:16.713{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91104DCDAE24D073DCB82CED46DB6B7E,SHA256=80F69F46F5FC2E303B80638F542791729F715DD41BF5FD5581E4692E05CEE0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:17.806{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03BD104036F265073B6CFC4E4CAEC45,SHA256=26E8498FE2D4B322593149D8597718EB8DDF152734AC8356E5B402CF7CB4C248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:18.900{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF23BE3719AAA31C35EF32669D42697,SHA256=AAA9445C096E838C10A42F28C6C2B743F4C58BB6A1120BEC696501EDE9A8DBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:18.023{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A61E0D67E23B40DD50F35C0225110D,SHA256=70BF998B96045978A87568C7131946B464F27B14AB70E5C4D7E114BDFF98A3AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:18.806{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:18.806{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:19.994{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0751ACC96769CABC9DEDE3DFE27200CF,SHA256=A0514D6322140017982376698D4B1D28D2145E0B2474C966D2898F1742196DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:16.435{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50067-false10.0.1.12-8000- 23542300x800000000000000083036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:19.117{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BACAFBA9639418749440C6417C4E24,SHA256=E07D31251BE9CC0F48032FF833005FF654D74E10472E00263101109D3053A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:19.447{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=832CC14CFC82F2D72B0A5D9B261FA8AD,SHA256=73BE032A9B5976C696BD259A682581516335C9DEAC231F57BCC83C17AD6B4BC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:19.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:19.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:20.211{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4A984149C60550A3342183403AC7B7,SHA256=31344DD23B26C2A4C4319EB81E29CD776139D8F5BCD450A4AD7D18C95EF01C05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:16.633{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50241-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:21.477{53069400-0B10-62E1-1100-000000007202}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E06C0061EC1143D77306FC8E9846D295,SHA256=E3A8EC6A6986E85C5ED374BFD74E10CA3EE3639139FD1A0EC294B0EE32B0EE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:21.398{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:21.305{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDDA746F8B1135156276460DE393C35,SHA256=18FA764FB5238E891D2121BDD6273AC8FE59C4AA10BE2D22A4C76D8CDF302236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.681{F81F30E6-0B0F-62E1-1100-000000007202}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09A990843C27C428CDD8E48B13294B5B,SHA256=3293D7663FFE8DAE0E76D74D6A2211B531A5C03D0E7562F326E03F2F1A37BE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.509{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.509{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.088{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14DADFD685ABB5BEE590BE5AFA678D0,SHA256=7A3231B5B564B3B86C0877C830BB3E6678DCF32AC5E5988DCEF27AD4EA889A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:20.654{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50068-false10.0.1.12-8089- 23542300x800000000000000083042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:22.398{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F04284798467EFAE3F22C969A16705,SHA256=1A959B575D75DD6B4CF683C68A159D3C24D710D5F25EEEE43F985B47C90E2213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:22.291{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9158D98CF9386364BE21A0E264515F5F,SHA256=C7708E45A2AF9EC718B7C20BC495CC22756550F3485C5B59CBB74A358464EB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:23.492{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13328D84619420DC885DB00D523B0B4,SHA256=FB0DDEEBFCE8AA77DB48842067E6CE3EC8A8C4B6A5E89CF387BCE1AFC99FB458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:23.385{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C53509FE8BDFADA4B3DE96BF1B764E,SHA256=BBF595C19D60F56D2F52F3AF0CF2C33F09D93782A6A34E533CAE305AD578C8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:23.060{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220727095336-030MD5=99DFBF69F36DC84C9E4F055F96F6DBEE,SHA256=5A6F241667B5803E3B22FA8E48F54177002A808F58B64D76EA864214BBAFB413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:24.586{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A0028D4E8A019DEB9AEDEEADF4C6B0,SHA256=206525CACFA2684FA6D8A5F6BA0929A2D4CBA50B21F67CD3FB780DCD7152FBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.823{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54599- 23542300x8000000000000000331159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:24.478{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9D0DE81A02442F6289CF6209A676AD,SHA256=12FBA9E1066B2767581D93DA97B7A9B0D93742EA89AC7E0F31035F8775C19E87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:24.430{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B10-62E1-1300-000000007202}752C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:24.430{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B10-62E1-1300-000000007202}752C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:24.430{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B10-62E1-1300-000000007202}752C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:24.074{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220727095334-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:22.357{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50069-false10.0.1.12-8000- 23542300x800000000000000083049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:25.680{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EBF514511FEB0E4E9F5E4C5D88DC6B,SHA256=B77F229A917732743D483EAF946017FDB8A9198FA30614B4D7832F1919EBE4A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:22.601{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50242-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000331162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:21.824{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61024- 23542300x8000000000000000331161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:25.575{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F764EDEA23A65ADC5A9522198040AF3,SHA256=10033260EB90CC555F6ECD11506A990482C19678C7AF8E025CDAC43BA684C708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:26.773{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF219DEA14298CDB1627E5A8C50D71BF,SHA256=20DC6D32BFE16321FEC4663286E2D4F97C4CE7E90AC5FC46046CF76741BEC4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:26.669{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBD4766145FB2EA5139274A3E091CC6,SHA256=05CCE6836E696D5B62ABC4876D48D077E2B75E809C4B35A64E6E68983D771231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:27.867{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB221CDA9A22665BD5746FD31D27FBA,SHA256=CCF7CDD39797FFEC5481023406A97557FF47A7EFCCB01F61693CF49F099EC790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:27.762{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058514A1298763FD40208D36DE2B7F9D,SHA256=E7BC2C0B7CD4FCBE3B5F9B7B21A10E246B7D40BA3C5528893BEE4EF8CF40E9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:28.856{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B78444A973E5F5C58A742C8A72E3F6E,SHA256=53F51CF9507070AE55DF344F6B082A93ECE0B3E760851F5F304EE7E1324C83DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:28.961{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F69242BBDF8166D7598599EBCE249B7,SHA256=B136A1C714CC6A39937AFDC7EBF46F28129DC40776F5B9B72B08DA954D2C2388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:27.529{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50070-false10.0.1.12-8000- 23542300x800000000000000083055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:30.055{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595C098D723CA18861536FAFA2F6EF38,SHA256=B989A47F35E45ED85FF3B2CE48C7BEBE22094D2AAF44FD173AD472A691A46016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:30.059{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A68DEB6C6CC592B6738111E88257AE,SHA256=79F6BF995AF49F406F10D62C3385F7F34A1CC18A6319B395EDCEDC430C210DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:31.148{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34DA879BEFCCBF3EACBAACD4CF1AF4E,SHA256=D8826221BA2978CEBB84FDF598971CAFA5C86EBF144F81DC3AEFFFA3ACEE79D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:27.730{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50243-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:31.153{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E222E504584FECC8C6A8D0C487D33068,SHA256=F2E9DB83142DCBDD3F9EF6AB427729C1BFB4A6D4C5B627B786491A10F7E3BF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:32.242{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7D84D3A990E392783D2E2F8E743758,SHA256=84F77AB1D5B0FBCA7831E0F8383085DA0D010CA0B73C3345ACAD3FCAA3E3D007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:32.246{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897720652E2DC219A9A9696A9E0A8F69,SHA256=489748C74A0027594EC33D73A467C5920A72511425744145DF60FB366FA63522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:33.336{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EDF30ED7C790F115560111D6760B5C,SHA256=6B5F7747E0730010EA8BBF0CE628E1839B2A16C31444DE3C5C7A07C0F7580D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:33.340{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE5C9740A91CCC43179F2647BEC8000,SHA256=2CE320AB5C01FFF328662DF3BEEA1ED0E096996B98BD666AEB55D4ED50150A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-129E-62E1-6601-000000007202}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-129E-62E1-6601-000000007202}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.680{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-129E-62E1-6601-000000007202}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.681{53069400-129E-62E1-6601-000000007202}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:34.430{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5AB0A6D5C5B43EBA5985DA9173BB25,SHA256=4022B662E0ABA43BBA678376EBDA2ED1726C03178ACB85C3ADAECBDFDA22E4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:34.434{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C04BB772FF2275705785D6597A0FD2B,SHA256=06E5349C3D7ABB1F8F2CFB9F2E198EEFB123754390B9E509AA1FDF80884C7C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.945{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DC32CD04469116BF7F520BCA2E7541,SHA256=0BF212EA176FC7EEE961B9AC07540B34D492AE08D6F681C4A426EDB4712F2386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.711{53069400-129F-62E1-6701-000000007202}10763760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-129F-62E1-6701-000000007202}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-129F-62E1-6701-000000007202}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.539{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-129F-62E1-6701-000000007202}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.540{53069400-129F-62E1-6701-000000007202}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:35.523{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CF7BB9AE79B999F2BD38D821B73A1B,SHA256=B3420875D53A769420E21A18D9A4CFE6CA8255A9AC6A4CA73DD11551F9A90DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:35.527{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8850CDA15EAFF5F1A09CB6A1649DA8,SHA256=6AB57359064A02D77E0E55B42891006DF2CC46CC44DF94CDE7B4ADFFFF7A490E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:35.043{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:35.043{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:36.621{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA16942C9D1A00EF71B81642617C57B,SHA256=DF151C21D933A454E0B267120D6E3700C7AB333B81C9A4BFE3B81B9C99F7FE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.805{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=545D5F68452E7E393C6B97A0577B04A2,SHA256=9ADE54BC61D6C9D87EF11121C1C13142E6F528C4AAC4BD7BDEF01E1674766C60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12A0-62E1-6801-000000007202}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-12A0-62E1-6801-000000007202}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12A0-62E1-6801-000000007202}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.727{53069400-12A0-62E1-6801-000000007202}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:36.617{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42602869347A4231DFFE9DCAE22D011,SHA256=F472E04D506E857C7C9C3AAB302F1C51929335C9F6155214E371331759B9AC8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:33.326{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50071-false10.0.1.12-8000- 23542300x800000000000000083105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:37.711{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E216CDC459B794ADE769A95F9443C125,SHA256=29DB945EC2A206D884AEFCAFFA72988DB407AD181354204990BEB6BC0A9D8603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:37.840{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B0F-62E1-1400-000000007202}1116C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:37.840{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B0F-62E1-1400-000000007202}1116C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:37.840{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B0F-62E1-1400-000000007202}1116C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:37.715{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B5B69353975E712DEDE274AEC7C400,SHA256=845052D22047F6FACB6987959D181E91B59D03DD05935E66D805C6845F4649C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:33.728{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50244-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.805{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE64F583EFA79A233D02A7135903CBA7,SHA256=E347E51EAF1B53CC84AB1FE384245480357E553CF70BD0155BA1AFB44F361890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:38.960{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04B8FFA817C9429C249301884C85433,SHA256=E75849A716D2F03A3626BA4F9FF34F22668B3501EE5B39A69BAEE745DBCEC889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:38.882{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB115392E2F9BA2CA87C3422F669762,SHA256=A5E8117F1DC7C425DF838458A06C2047EC4597F7200E7B49A453C22FE770C1BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.727{53069400-12A2-62E1-6901-000000007202}38443920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12A2-62E1-6901-000000007202}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-12A2-62E1-6901-000000007202}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.523{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12A2-62E1-6901-000000007202}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:38.524{53069400-12A2-62E1-6901-000000007202}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.695{53069400-12A3-62E1-6B01-000000007202}31441512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12A3-62E1-6B01-000000007202}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-12A3-62E1-6B01-000000007202}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.523{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12A3-62E1-6B01-000000007202}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.524{53069400-12A3-62E1-6B01-000000007202}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.242{53069400-12A3-62E1-6A01-000000007202}9761268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12A3-62E1-6A01-000000007202}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-12A3-62E1-6A01-000000007202}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.023{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12A3-62E1-6A01-000000007202}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.025{53069400-12A3-62E1-6A01-000000007202}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:40.164{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D109112D9EB5F863DC49FD83C2CACFE,SHA256=10288A7E6590070429A01E7DB7088E3D22FA84219C0A092F6E06AA6650F2B6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:40.085{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F9FBE4DE88EEC888ECDAA8FD310D3D,SHA256=96984D8E0B9D6F854EA9113AE8BE1A4439B7BAA293CE290A2330F761697E8ED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:40.038{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:40.038{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12A5-62E1-6C01-000000007202}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-12A5-62E1-6C01-000000007202}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.742{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12A5-62E1-6C01-000000007202}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.743{53069400-12A5-62E1-6C01-000000007202}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:41.211{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03F1D885BEBDDC279386848C5726D0B,SHA256=3D47871A8A84D32A9D7A92E00F089EB03C50BC63DA6443F1F236EBF229B83E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:41.069{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F2A2DCE5B9EF7D8C1713C4E5136388,SHA256=F71E4E5C05426A9FB2890465807E1E56A8DC38E024A5E7D844E91304BCF7F6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:42.163{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF93CB2200AFA74DEF938ED5BF703A2,SHA256=D62A06A8BDE14B559A2DFEA92DFA645E7EADF4A4051C81FA8938D6C51B70804B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:42.836{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A278544BD49345DACEB1F67504CD4E23,SHA256=23F4B23825E176D54A18BAD0D096FCD979C4F1EC0BD37F158A603A665F4DA89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:42.305{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D7502DBB77E92007066B0CC31334AD,SHA256=EA2FE880A5D754A6AD64BE36F4F9BD3577E0C92987B1AF94758177929C49A81C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:39.326{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50072-false10.0.1.12-8000- 354300x8000000000000000331190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:39.738{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50245-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:43.257{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEDA2CB29F3FFAEA186BEF66A8D3425,SHA256=E1B5F92EBA762DD48424D6FB220399D5695C53EBAABEA3EDF3B74AC58C70284C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:43.398{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B48F6602204B5B9722381E5C88CF7B9,SHA256=033AB982043C5B5F3335C53E659B5E6335876B3905B1D74957BD2336B3096F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:44.492{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010AF775FA23264B89A74A89750528FA,SHA256=46996E79749A1869A877C660ED0F117983ECF963EBB05B3B944B5D515C3FA454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:44.350{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E66072B2FA0334C9E668021D36A883E,SHA256=AD1779DB82F0DB4F62D2D2A38A9742C124CD9A66A8783B4F524BF8577C4D8F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:45.586{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69103E5714F66D8DC631BF33A9CE3A0B,SHA256=3F6DCA9D1353221FA7D034AFD2040B7D24D3374E4AF34854A1FFA0CE79939282,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:45.960{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:45.960{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:45.444{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF5C28D0CAFD27D8460E94CC968CC38,SHA256=9102B7F43C256EF7F35CB8A96ECC1BE6F567051576482E8E4779C6A7D6B790BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:46.680{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8ACEF5C95C4A1C9D9CECC8805D70E4,SHA256=36F0B13FFA871BCC1AB7AC04B03F3441B221E03238371F4806033233D3182664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:46.538{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6C5C7DCCC5383FCE678E43338FB3E8,SHA256=E9C57C858BF84F3CAEBC307BB924FEA9857E8CF58089F465FBE30C4EC43F0221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:46.241{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:47.773{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07499D5375B292BBE73190EB2B90CD5F,SHA256=60D711D380F13B3F41C581F6F1BF9F4A7F9222E637C1DEEB1EE20A096E13CCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.631{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84064C304A8AEAF6BB52894C2F118418,SHA256=64A0087954022601AEA13BCA59FFF0A7DCE0B504847959B86923DDACF84A11AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12AB-62E1-CA05-000000007202}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-12AB-62E1-CA05-000000007202}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.553{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12AB-62E1-CA05-000000007202}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.554{F81F30E6-12AB-62E1-CA05-000000007202}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:44.373{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50073-false10.0.1.12-8000- 10341000x8000000000000000331198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.381{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:47.381{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:48.867{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B49FB028C94C09C5E2BE5A939A314B,SHA256=4777147F6551CD8AD3A0F16F6013A0E0B740293C4831E5505A3DDCA3E3ACA8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.631{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890B7611B1D19066D9A8F43D7553EE5,SHA256=7C23DD1876E7D77D3048E1F71EEB5A5AC629F0794F95C4DED666B88AC0C6A18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.584{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9691368BE664CA52E7169C0B17CB48C,SHA256=4EB9CEACCF14B5F71D7BB304EED3BDE631B3FE92884763F1B93F0CB9E614E14D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.413{F81F30E6-12AC-62E1-CB05-000000007202}53645600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:44.785{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50247-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000331216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:44.769{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50246-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000331215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12AC-62E1-CB05-000000007202}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-12AC-62E1-CB05-000000007202}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.225{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12AC-62E1-CB05-000000007202}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.226{F81F30E6-12AC-62E1-CB05-000000007202}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:49.961{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57806F312AA1D41C80326EC0344CF97B,SHA256=7A674087964C6A14481AC1A83FD05FF5AD62993D67F1B220E1F31D15C6B9A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.741{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=682EC31BE981198379A3B890606CF67F,SHA256=58675368E602CB59659541C57E4245058FD898AC3D5B34FBABBBAFF1D73BDC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.725{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1B1E67C54357C8BCEF25E5B70C4721,SHA256=8C51916B2FAC081995D1640B10CA6C9CCA1D21B504E00305B85CB2023AC504AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12AD-62E1-CC05-000000007202}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-12AD-62E1-CC05-000000007202}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.272{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12AD-62E1-CC05-000000007202}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:49.273{F81F30E6-12AD-62E1-CC05-000000007202}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:50.819{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514CB28353C26C39E052D2060B7F487,SHA256=80A9D189A82968B228279A09A206641FC06B8471CE4962BC03DEA4F2656B17B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.912{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F16C992F77D624F655B61AA30D7A7B,SHA256=DA5A95828C6497FE06B190E58D0B5ACD93280739A52CA26642AB1FBED75B5A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:51.055{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EDB81945DDB5DF94137A1A07FDB7BE,SHA256=A4B5FB51F9974F2D8CA946AFB0EBA2D81A08E7C26B1CC4BE584EA271AE61AD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.834{F81F30E6-12AF-62E1-CD05-000000007202}47325832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12AF-62E1-CD05-000000007202}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-12AF-62E1-CD05-000000007202}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12AF-62E1-CD05-000000007202}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:51.569{F81F30E6-12AF-62E1-CD05-000000007202}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000331233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.082{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50248-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:48.082{F81F30E6-0B1D-62E1-2900-000000007202}2560C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50248-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000083177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:50.388{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50074-false10.0.1.12-8000- 23542300x800000000000000083176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:52.148{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF97B153A60A7CF7C9CEC8DA7B1DB7C5,SHA256=E40FE8B85DF4746D1B766833FFE59595D56697AF27E9A2B0037084970C7FC1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.241{F81F30E6-12B0-62E1-CE05-000000007202}31724536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12B0-62E1-CE05-000000007202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-12B0-62E1-CE05-000000007202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.069{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12B0-62E1-CE05-000000007202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:52.070{F81F30E6-12B0-62E1-CE05-000000007202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:53.242{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054DB24807F3852DA6ACED4158B5D1B4,SHA256=E84E542A1FBBF03145830C948B0B0EEF2100761AD3C0436729045515B95B4CAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:53.881{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:53.881{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:50.613{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50249-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000331255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:53.444{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:53.444{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:53.006{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60B37C2FF26318F309F9ACE31636BDB,SHA256=72E25169C75245162FD4BF146FD3B2BD98B27209296170F17AC09890927E1523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:54.336{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB29115D60EC4B790DD2ACD24F4F929,SHA256=96024F94391B2F1E515940272185EC622330C9FECAE45A66A19356DBF31FDC3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:54.334{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:54.334{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:54.100{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09055038B249C73AEBBC664BF1640649,SHA256=B2FB790E28DFFCD8CFA6031365E9D2B2588C03E60E9FE018BEAAFF095B22776A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:55.430{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874414EB3EBE2CB0D18D129D8901B36F,SHA256=BDBEACCCCE87410A2285BAA612D831C04004CFE90D12B064E42DC9A4F6A427BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:55.787{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:55.787{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:55.193{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A345BB7BFE24823D3DF05174E9FC4B2E,SHA256=ED50A944B21FEA376F16092E00195E12DC79704A1CE5198D73FC52BA315AD837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:56.523{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6DC403EBD685B90E176A927DEC873,SHA256=B8E1DF8AC0EB3F9E5B1DA104A9AFCA86410D2FBB24E7015FEB16DB67D592B25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:56.287{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89AA7B12FAF4E0EC7424A8C0C8B7C4A,SHA256=9313571BF97B2662FC92F8823D8ED365DAA5D17D1F6941DC537B0450DCD2B2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:57.617{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB807A8BA8E1949A4E53DDB3605B9635,SHA256=D395DCD70254FB903C35D3B8FAEF20925DE0BD55370EFE3735A0A229747C9F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:57.381{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8EBCAAAD4374F638154ED853FB8768,SHA256=860C8C82971F1D5B12DCBC2FCB0B1564AC8D308E6E9AEB3AA6F03EA38BAD7A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:58.711{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260C4DF0B3BCC73A6A5C41A6E3EA47DD,SHA256=35FCBA556DAAD26F8ADA9322BE86B8F3A282BD2A19EAB94B38D0099D79A34FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:55.644{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50250-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:58.475{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3464A7CFFD3275CB84226D277934094A,SHA256=E5BA288FA7EDB44D03B3EE776A600DDE04CBCBE4A9779EEFB557EE180B75ED58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:55.529{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50075-false10.0.1.12-8000- 23542300x800000000000000083185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:25:59.805{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B49FB73424D5A3216028D00833A5843,SHA256=46AFF03AE22BFE8C2AFD3009634699EC7A32D4EFB533F19CC2FE736ABF8799D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:59.568{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9124F37B9F9F9A3949AF94010C67A02,SHA256=174B62AF02BC9D088C49D1D78D2257EC1BFA3C096DC16A0D21069D1467EF0C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:59.256{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:25:59.256{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:00.898{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A460F366F52D06E865F04C7F7956CFC2,SHA256=59F2CC79CF048276B10B055E8B0C2317B2909355E9F4FB4DADC9614BB1D9AC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:00.678{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3084C834065EAF8ABDE48851D1372F44,SHA256=8518CFD13939594A478E54C70BFBEE31205FCAFAC508AFF09EB228B76A379FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:01.992{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED86692065DEC90FA9BFB42706008D9,SHA256=AB8F6D4EDC038679CA67F2A8FE1919C8A26FB37E47FF1A76BD5EBF091C0EB86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:01.881{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA3CE84AD43CC1B7D2C665243254AC0,SHA256=2C08810E9B985F9582D7982E9D6D52C56CB35506CAF262326B40DAA7FBDE618D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:02.974{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2862901D57AF1AE6DAABEDB7331E401,SHA256=46D2201A5EA1FA39A7DCD9FF96F70AD40E57076E802600E80C3791946F5FA577,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:01.466{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50076-false10.0.1.12-8000- 23542300x800000000000000083188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:03.086{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9992B9D1ACAB61844477923D8B43927,SHA256=45788325C55E01224EA15C9871A8D055B1803E5F049F3702B3AC47BD611A59B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:04.180{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8855DADF8896B934E17CC503C9A122B,SHA256=D3779D6C2C3CC23F16A3A87545CFD4DEBAF93619AC32C084D18F79BFE86DDFB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:01.629{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50251-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:04.084{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48D0717C442BADF720DFC184B6C4708,SHA256=CBF6CA39732BD22E7A7C3223EF3563731087C95D9E4CF061D6C5EA5B82274B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:05.273{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA1D584135A2AE17B2D90308DFAC545,SHA256=455FF98750AE12D8A33970F5629C730BFFB3BB1DA6532CEB4A0A16B63A183229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:05.177{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C5ED8BCACE74B4874C3942070EC90B,SHA256=90D0BB3915063C492D752180BD696EE13F3688AB081614E9D55671A4D1E11012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:06.367{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80219866C5C4486B2847B33E576C792E,SHA256=67315A2297FEAF62C6BB51BC319B4E7C7A2DEBB18C04450B07D7A884907DBC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:06.271{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217F220D364E1E780EBD997222512157,SHA256=00D6946F541F1C2EDB38AC31F36FCB872F8BA7B0A7BC4024D1A2B16F33F65192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:06.055{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7CFAB9ADE6F95C8B104ED10A7441CC6A,SHA256=F4AF4906524F3C8DDF54F076DAE05FB215D1F69B2CD07B02A427A2E4249377CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:07.461{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039360ADA067DD8A4A83E9B0792E51E6,SHA256=7668FBCD58DCF54C73CD884A4641443079B9166C65AEAFAC17982950F58C50D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:07.365{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D2B7C77AE3DD5964D5B7C53A97E614,SHA256=4F6F5D71EB5CBBE29C9B135D54CC0EC46C194C6C43FF6B12942E227483516333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:08.555{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0278D73C683062BCD988BCB133684BC,SHA256=6C5E1FAA7CA84E71F4B2C964C698DAB13EDC73CF1B8EEF80179107F53F652916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:08.458{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D7E1B708BF2844747870D318FFE20,SHA256=2CAD8BF66EEB9B193D958A998F2154A55D432BC2E5648F631D221CCA2F85F918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:09.664{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191269FC11BB53EDDBF19B3656DF0333,SHA256=BCE7057D7000FB7A4C48FAFBD13B40F82ECB98370324CE146D2B438936645EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:09.693{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:09.693{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:09.552{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884925ED756B5E319D1F3FD11AA1DAF9,SHA256=A10FE08A243251DDD439E2AFCC845849E142AFF4DBFD9E4A2E085595116F7308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:10.758{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EF753BB217F4B73ED5487549521A3,SHA256=9CE53AACE1DF607036152696207A68628DBDFBDD07A125BB9096FB19A842E10A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:07.644{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50252-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:10.646{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12C9A9BF6AA540C96A3AC115DA55316,SHA256=F5DFE38901D9235503E5E31B664FE871CCD4603274D573AFDED998E8EE519693,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:07.498{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50077-false10.0.1.12-8000- 23542300x800000000000000083200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:11.845{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5278F1E370ABAA9C0FCDC905AF134D35,SHA256=FE95822B9F4C13B58B5E6F892B72BB76B567A036999C5AE34B2635F6BF759740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:11.740{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1A20189468672EEDA8E0ED77EDC92,SHA256=18F5B2F8C7DD222C2E34DF9FDB28C117E61455A0515D5B3F1E7A5F96678AE7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:11.544{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220727095323-031MD5=01981A41A7FA64D01C3A36AB72844534,SHA256=A596D5DA65530F5A35DD48212239B05D1A6D10867138ED42410A832D159D4E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:11.583{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:11.583{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:12.936{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C0FB7DFDA1EA9CADC079B6CEB9EAD1,SHA256=DD2DCBABF2AFA54950A2B8647D14FBB60DCAE81EBE3A0CE0AC149C8B0DBBD738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:12.833{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCAC3E284BB43F2783B718BC9F96057,SHA256=6D1E951B42BC65BE0C262A1E3ACA29C95D87D3C3854C3F33290E1DC35BA553A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:12.549{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220727095321-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.927{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0250ED4AD97E2231DA642B8FD1492B8E,SHA256=FAEA3E930C66151146BC1A05BCC2A119C22773C49DCB99D84728BC7677AFD2E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12C5-62E1-CF05-000000007202}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-12C5-62E1-CF05-000000007202}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12C5-62E1-CF05-000000007202}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.865{F81F30E6-12C5-62E1-CF05-000000007202}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.240{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:13.240{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.958{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B131ACFA67FD3DD2FAF6324A9760C4A0,SHA256=6F92EE48146B70B0C5592279D249B7619085B22FAD28819158F116BB3CB69363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:14.032{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705C691295DEF2225BDB0C3B75F1293A,SHA256=48BA8D73A329D3111EA431FF8FE88BB090BB75F710824DCEB95E42F2887ADCC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.599{F81F30E6-12C6-62E1-D005-000000007202}42043708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12C6-62E1-D005-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-12C6-62E1-D005-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.364{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12C6-62E1-D005-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:14.365{F81F30E6-12C6-62E1-D005-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:15.141{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB70FF0B7B6BE5C3524E559B65C696,SHA256=0EDC7FFBB0B83D3BAB56832EE69428F9B0679AC93DC4F90E5A1C33A330CC14AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:15.021{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFDA849E1F1128E06FC462C1AD34151,SHA256=EB4C90DEF71BE57D47ED9634A15B8F86EDC003ADBBB326E0945C43D204BBAB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:16.235{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA897BDBC5028DAC3465E86BDDA6DEDA,SHA256=00155FD9DFC74A50C7B8AD0F6C6BF7B02569CBE2532BA11D53825323DC0A85D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:13.459{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50078-false10.0.1.12-8000- 354300x8000000000000000331313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:12.800{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50253-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:16.005{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65204E312F8901D86F6F7E3E184A1F1E,SHA256=FC51BD6E044007D6BE1F556E30BDD608EECDB8C1EDACEC4AB78C05DB7786FD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:17.328{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEF4AFB0F38BD827A259E711CEA3284,SHA256=82898A60A97B5AF44306B45794F946EBE342168561ABB813C56C73F84B760E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:17.099{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D63809A74F01C6A11B576D623950119,SHA256=7F214F381379EEC23F054922706AD50876202D03A0F6EA791A38B513700760A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:18.422{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B91A7F663DB0AF02702B7110F92E580,SHA256=ED7570BAB982AAB4C5B2CC4AC253721073AC50E16202498A270D8A9B26061F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:18.192{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1801255376EA34FBF17D580DD67AEA,SHA256=FA8C58FA41F3EDE4B927CF877D26665E3DB027E2758B2C7C642802B9791FE06D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:18.192{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:18.192{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:19.516{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1065EB6F0E6B61D65DB1B7CC57361C,SHA256=0403995D55050717ADCD39576DCC8CE7B7B3BDC7F2F893A564099ABC10B67CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:19.286{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40D913186C372E32ABB2E6079AE3232,SHA256=8ABA9F4443691ED8514349F5305BD6236EFDD16608371F9EAC8DAFA485243E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:19.021{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7E6714548D6875301EDE0DEE97F50CE0,SHA256=06CE7C169E4575BE252516318786DED22CB20ADF671884AB3BB951461997CDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:20.610{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DABC02DE7C0395458D85A2FA69C1FA3,SHA256=1AA49CAA2D920B986565FE3B8F2999484E1AA252C178FF989B93E305D4FCEDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:20.380{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07563603570CE3DB1357605A55CA3947,SHA256=AFCED2E68E820E7D6DDC31D62ECA39D70AE5476A17D1E32262BF7F060BDA7BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:21.703{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926579D9BAF4BD48EE9BB17CCF96BF53,SHA256=768BAFA5AB810183E7D50A35C254E6ED5280C0DFFEB6BD69F531BCCCB3672E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:21.692{F81F30E6-0B0F-62E1-1100-000000007202}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECC12F2927655DFC982A25491D940689,SHA256=B706AB2EF1E460EFE81D4F01F18EE8665136F0FBB0DEA7D1D9E992A66FA2038D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:21.474{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5194A64B1FF925863430FA172120CC5,SHA256=DE28C49BB007F5EF4755A6268FCC9D5557BDB55FBA6894533A45408ABB764D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:21.485{53069400-0B10-62E1-1100-000000007202}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D8450042D57BE1E3220EBB18ED72103A,SHA256=38CBE73F43D2B8E19EA5CB98B7A54024311AFA2AE0630D36ADA264748EE01724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:21.422{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:22.797{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B42BA4C2B2AD284E92DD7EE3FAA1690,SHA256=2B1E8AD5C4C840B76BDE48AE619DD5797038C8D7C391EBA34EC99CC1836A0C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:22.797{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C8A7AA44C6A3EBBD06039FAEF9232DF,SHA256=A3EF2B5A6056AC2C62CE3715A30BFA30D84462E3B21C634C08C4CEF5F9850163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:22.567{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7887F0ADFF6DDC714B8514881739C375,SHA256=493D2CFFC53CD374840FAB0157D07C38126D41E8FEDBE1633D2EC4250C4D9795,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:19.443{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50079-false10.0.1.12-8000- 354300x8000000000000000331323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:18.769{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50254-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:23.891{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC80BBB93C422889966C6B6C17197359,SHA256=FE00DFE387E94E5D17B3CF5985BAA02CF2541C4446B0BAD4EF740DCD99F2A74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:23.770{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA7B99A485D30DCB8A6F12C1341B610,SHA256=B25933690DBC26AF487536226090B8CE7695098734EE2ED715876AF8D377F567,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:20.678{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50080-false10.0.1.12-8089- 23542300x8000000000000000331327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:24.864{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F6C7A2D2335698759FF0148137FCD6,SHA256=9DA71C4F2C0959C275809D317762885E6B1425DC3E657B3652ED9B217A88F87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:24.602{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220727095336-031MD5=99DFBF69F36DC84C9E4F055F96F6DBEE,SHA256=5A6F241667B5803E3B22FA8E48F54177002A808F58B64D76EA864214BBAFB413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:25.941{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38190F9FA72434DC089903C27EF5D0E,SHA256=E80D1FE521BD4DF5CE181F37869161D555583C7DEDFD6DA9D75BE0090D2B53FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:25.000{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5836D9D0059FD424A8044376FB122F6B,SHA256=06BEC5724091FC08BC171FF6C3E9AED3FD43977B61D51D3A7044BDBE50A1F51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:25.615{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220727095334-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:25.208{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:25.208{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:26.094{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4E92CE9B2571A7649E8FDD4083FB9D,SHA256=E06717418866383217ED9D50050459DC8EEC4876825305DF73BDCCB208542EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:26.475{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:26.475{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:25.459{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50081-false10.0.1.12-8000- 23542300x800000000000000083221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:27.188{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE73478CC266FBC69A1AE9C63FF5B3D,SHA256=C99C71776CC5A08C2E0B6DE5BE1F1EA15CA0DC3A1D23E4DCC6F362C124ADA466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:27.014{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8705513AC4EBAAB82262208932F3079,SHA256=C21D8E3AF4466923D1A6837B3DC2244545DCDE0E6F570EA6BA83A9F5D5A10EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:28.282{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C4F73066AC86152D8F1A0BF827FF30,SHA256=4309FADDA5B91C00250BF23AED9CA592C9D0348C0B200F9E89634040776F707B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:24.595{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50255-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:28.103{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBBACDF10D3FACD0B9886DC1BC33B52,SHA256=76C306044C2527D9CD957B758D54F716872CD42C762CF057749BE329786C67E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:29.375{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6BF39BC29D9910AC08A440F5E495DD,SHA256=A3AA1BE9CA9CC6575598A3B12358115E19F9FAC8EC938890F3CB751ECD9A358D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:29.196{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9B2A40CE8A1386D869886DD90E9D01,SHA256=1C1D35139E4ACEE946E69748103354973CC07428941A720A6452AE0779AEE1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:30.469{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B190C2B538CE32C11F69CA0C007E71,SHA256=B70B8B0B03925302892F9BD7954292BB5296CCD6C47BDF22654D2A9C7E067C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:30.290{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81B0D4E747CCB4042F6A0E00423CA63,SHA256=C3955A949F838C8FA11A88F65F224D363FCBCC04CEA3F79D0188595DE43C3A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:31.563{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBEEF08B31AA0B71AB847E28BC26D57,SHA256=235F2D7FE251EC3735C0C4900933011AB0100782F52812B92A8523B5A5A6603D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:31.384{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78765ACF9ED821B1D937BE8669C0C6F,SHA256=BD17099A8F5D36A595C901AD8240EC283A105084F85475E02F7EFF1592DF3334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:32.657{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4046F527D84E698D80954C7565982076,SHA256=84509FA29E8AC7A57FAA48306098DF96641755C8788E5B037565F048F2B32496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:32.477{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCCA5D2E3E87956D426DD9F459B772C,SHA256=C2B40CAD26C32F1D3CF5982EC14F24F7C024859481CED18BD04D4D53A6D7E9E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:29.805{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50256-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:33.750{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66727EB6AA8C15EBA1E4B188B682E49,SHA256=A8EB93D9AF57F1A5A01D6CE47D0AC994C69E0A1534960DE34B7A141C6E80709D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:33.571{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACC57EA474347B25F5B52C7123B4F7D,SHA256=A4D9DD4B34CE5B83D33E9B40D27603AD07FEF3B7A242385E10FC07A34D385F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:31.365{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50082-false10.0.1.12-8000- 23542300x800000000000000083243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.860{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE73CB1A5B0133907987A3D025C3928,SHA256=6F2E49FF2E2C375BAF286C7A5250FB97707940DDCEA01149C2030CD5CAE9CC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:34.665{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B38310BF941EDF07D2F02B8C78A7231,SHA256=FC52B6BC736AB9F4556635BDF8703B6E1769FFD64D27AF1FE2605CF66A889C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DA-62E1-6D01-000000007202}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-12DA-62E1-6D01-000000007202}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.672{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DA-62E1-6D01-000000007202}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:34.673{53069400-12DA-62E1-6D01-000000007202}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.953{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09499529A314A77ED325D2DDC592DF,SHA256=FE554B76A25DCC9CD2AFEEED8DE6F8D8A7FB5360A4592482F782C7F81B073C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:35.759{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE2996DD6F9C00B82C23F4A5ED81F3F,SHA256=8846663217E787D8D7914244FEDE1F7AAFD9096BDB529A5E1AEFBE3ABABD442F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.766{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A8588A7ADB21DA012F9DA1652F8C32,SHA256=F228C3F0CED483E9BFB6D6901C117EF7497EC11114EA73759C191467F51FA8FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.703{53069400-12DB-62E1-6E01-000000007202}1936728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DB-62E1-6E01-000000007202}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-12DB-62E1-6E01-000000007202}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.547{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DB-62E1-6E01-000000007202}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:35.548{53069400-12DB-62E1-6E01-000000007202}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:36.852{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABB0234686DF6BD6FAEDA2D1E650470,SHA256=075FA6204F821753EC5A62A21D3FCF3FBC925C86EACCB112A64377905A796B0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DC-62E1-6F01-000000007202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-12DC-62E1-6F01-000000007202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.719{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DC-62E1-6F01-000000007202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.720{53069400-12DC-62E1-6F01-000000007202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.328{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=952B36596F785E7632F1B7CFD35F0497,SHA256=471470761AB49BB3CAB726FC060B6481B3C250219528F9E84408A7A8F2F7816D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:37.946{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049A1D19BFB991326EF48AB97404AFA4,SHA256=A9EEDD187394EA6A30CA3388B806F0701AD3A59CB305A16251E1975DB9922990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:37.047{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C51F46C89187F34AD5324D702B3A25,SHA256=61DA89C8677593EB886431BC78ED20FA007A3779EE9475DE63B7F3922F3A1EF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:36.428{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50083-false10.0.1.12-8000- 10341000x800000000000000083289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.532{53069400-12DE-62E1-7001-000000007202}876952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DE-62E1-7001-000000007202}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-12DE-62E1-7001-000000007202}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.375{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DE-62E1-7001-000000007202}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.376{53069400-12DE-62E1-7001-000000007202}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:38.141{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12764C08A4F229FD57572B1559937989,SHA256=42DDAD1432828906F416E7C82769C2D9010B41397E8F254FEE29C9BFC8830DA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.735{53069400-12DF-62E1-7201-000000007202}24043824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA6F398B789F3F7EBDA1520E19715B,SHA256=BF4BF72049E30D7E5E339F5EF02F44BE808621DB6139BE478EF399D018BFED03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DF-62E1-7201-000000007202}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-12DF-62E1-7201-000000007202}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.563{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DF-62E1-7201-000000007202}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.564{53069400-12DF-62E1-7201-000000007202}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.297{53069400-12DF-62E1-7101-000000007202}40401348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:35.711{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50257-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:39.040{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D815C54A90B89E8D20D6C16718F66D,SHA256=E98C25814F2872F22C1047EB5430B159B24F82DDFB30FC7F4354FA3B18E95C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12DF-62E1-7101-000000007202}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-12DF-62E1-7101-000000007202}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.047{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12DF-62E1-7101-000000007202}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:39.048{53069400-12DF-62E1-7101-000000007202}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:40.360{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2F2C7FD990C7CF6508D4562AF56D4A,SHA256=8C7182A63A0830E941D1F3457FE66CC242AAB16ECC4843D4B95353F085538CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:40.133{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26137FAC3F54790CAE5327C8580ADD7A,SHA256=A22EE316C85E08FD08F640D4F137FDDBA16D4DAD7356662C43606E1385BECF65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-12E1-62E1-7301-000000007202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-12E1-62E1-7301-000000007202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-12E1-62E1-7301-000000007202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.735{53069400-12E1-62E1-7301-000000007202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.453{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1707E9ED54CBEEC301D61BFA28505321,SHA256=0F91663D0B090D21EFC9015F104CAF34E43E04476323729F8FABED7B077A914D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:41.227{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F21CB4E686B134536E754A7444A29FE,SHA256=85C0B9989CFD7F454F98AC6C05C1BF08EF48145CD2DE285DC711C249B360843A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:42.875{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85798C535FA281C829062EB40E2FC98C,SHA256=D6D5B84EEBC4DFFAABB5D64ED9D153B1909CB7406ADBD99E8151F9E86345F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:42.547{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAFF9A390A3455E68886B0B345CBE57,SHA256=ABE222FDCCA7687C0D9FF74227AFCD1CAB64789FFCECA7E272862EA2B21F713A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:42.789{F81F30E6-1286-62E1-C705-000000007202}5284ATTACKRANGE\AdministratorC:\Temp\dcrat.exeC:\Users\Administrator\AppData\Local\Temp\2\lJsKQV4aQDMD5=17E4DDC25069CFFE3A5CD34DCEF91032,SHA256=A04D36A57890E8CDAACA7088188931901F613BC74EB9C11083CC031235308C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:42.321{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42993D9D7A11A4D10B48EB7E0B2EE481,SHA256=A10527B71B224B31AD836656EB34906572DFD6BAA3284913F18E6EF0832EF0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:43.641{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F3DE65A524822F9E966C0BC3AE4EB6,SHA256=708DE657A9405906A5393AEED8AD6F8AED4BDFA4F4C8C1B0509859200562CA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:43.414{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3E3FF6B5CC5A36D84F2C832FDF602C,SHA256=21E31D20A7968AF2C0FCB6854E50102C0219B1E97356131B77D15A11513B38E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:44.735{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE1901F20193B494C5A58E63ED0AB3,SHA256=C0AE35BFB8006A70DF4838676AAE38CE033A5E795319A4167C7A59EBE83C1848,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:41.648{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50258-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:44.508{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7635160523F93A95EB16F3B1B34653BD,SHA256=B4DA75BF10A494B924FC6632AEFABB588E39C6017C3E775C14CC0CBD3863034E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:45.828{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A284D1815F385B8015E1FA5A969FF34B,SHA256=688A82EF0EA61F4979F82EB3899DF863DC32E314630A42622D3F673892DF451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:45.602{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F147F72BB939B6BF6A0505C6CA205E,SHA256=6AF96DCFDFC930FC6CC4E04F68434F9D54FF81CB886ED063DAB0CDD29F3ADB94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:41.475{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50084-false10.0.1.12-8000- 23542300x800000000000000083341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:46.922{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97D92AFA8A56DC84A11D791599C943C,SHA256=073805DD4CB9A80EAEB134B93090E3C76E3AD993035EB0BC82BEFBB230A0E9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:46.696{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AEDBE7A6659EC895EB45E1CE1BCA36,SHA256=1571EC7990B332752ADFF64F52F6627F053A8DF076A3E150252C0180D76BF6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:46.258{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:44.789{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50259-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000331367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.805{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6B1722409EE82F471BE5157DD7F426,SHA256=345DBA0236D7CAC68C7DC6EAAEB10B5803E7FB850A84601485EF3916C53B20F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12E7-62E1-D105-000000007202}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-12E7-62E1-D105-000000007202}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12E7-62E1-D105-000000007202}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:47.571{F81F30E6-12E7-62E1-D105-000000007202}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.899{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807654160E0F09F654B402749036FC68,SHA256=583EB359AB6F1E4EB8C983457A803D071CDE48DA3A5BD23FF4549B720D22F401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:48.032{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301C3952A9FA1A83C816A73741E6617E,SHA256=4FE1C13216FB13633713FFD95A04CD7B4C8FE108BDB39477E6BA0E11360EC142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.633{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F594E23FFC2A5EA886BFE240508CB160,SHA256=668EC088EDC2CC61F15C8BAFE3170170AD20B56E0176F428B5219EC0C59C1DFF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000331378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.508{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exeC:\Users\Administrator\AppData\Local\Temp\2\EytbzjvRWh.bat2022-07-27 10:26:48.508 10341000x8000000000000000331377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.477{F81F30E6-12E8-62E1-D205-000000007202}43605180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12E8-62E1-D205-000000007202}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-12E8-62E1-D205-000000007202}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.242{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12E8-62E1-D205-000000007202}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.243{F81F30E6-12E8-62E1-D205-000000007202}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.992{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AC8F45782A549A815C434D19590CAC,SHA256=3D7725896DB68C845CA910E516DA0526FAF5E446DE5FDE74C23A5500FCA727A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:47.366{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50085-false10.0.1.12-8000- 23542300x800000000000000083343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:49.125{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5C9911061C921BCD4E862BC213BEF1,SHA256=640E3BAC6FFA782EC991C9624C5E2874DA6DDB6F4F0E14B310DB7BC2798E6016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF21A07AB7D0AFCC5E1D5C75B5961A09,SHA256=15D9A715803DE2DCE68F6CB842E9457936601E26186718802BB4B4BFF19A3BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12E9-62E1-D305-000000007202}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-12E9-62E1-D305-000000007202}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.274{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12E9-62E1-D305-000000007202}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:49.275{F81F30E6-12E9-62E1-D305-000000007202}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:50.235{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AC3B8F8716F9DD2CD03A73883C2F3D,SHA256=F766BF61163F4DC72D542C7CE1444ED638A5B556A126DAC99A8FB519A054AE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.086{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50261-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:48.086{F81F30E6-0B1D-62E1-2900-000000007202}2560C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50261-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:46.742{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50260-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:51.328{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E9ECE401B2D5EFDE261E1073248A9,SHA256=F2BE81425B1AF3A55557003489DD83C1788E18137DF8A13699D5C8C89B1F9B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.727{F81F30E6-12EB-62E1-D405-000000007202}6164904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12EB-62E1-D405-000000007202}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-12EB-62E1-D405-000000007202}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.539{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12EB-62E1-D405-000000007202}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.541{F81F30E6-12EB-62E1-D405-000000007202}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.086{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00848E18C66790823467D539EE312350,SHA256=03FCEA34AF9910FF35AE14A235C16F622B3CF243E810F6AB64BB2740FC4FBC88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.727{F81F30E6-12EC-62E1-D705-000000007202}40925100C:\Windows\system32\conhost.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B59-62E1-8100-000000007202}2960884C:\Windows\system32\csrss.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-12EC-62E1-D605-000000007202}17605468C:\Windows\System32\cmd.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8ad9|C:\Windows\System32\cmd.exe+6fdd|C:\Windows\System32\cmd.exe+11a9e|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.721{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\System32\w32tm.exe10.0.14393.0 (rs1_release.160715-1616)Windows Time Service Diagnostic ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationw32time.dllw32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=5E45EB4FB348C9917F066126E5E0B9C3,SHA256=6B71A1DB48DA5F0359EA3FBBD3DEC449B7F91B00687617D0D6E979B5F0AB2459,IMPHASH=7C470B69FB39A5325C20AE270AEDD5B0{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Administrator\AppData\Local\Temp\2\EytbzjvRWh.bat" 10341000x8000000000000000331428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.711{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.695{F81F30E6-0B10-62E1-1500-000000007202}12241996C:\Windows\system32\svchost.exe{F81F30E6-12EC-62E1-D705-000000007202}4092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.695{F81F30E6-0B10-62E1-1500-000000007202}12241268C:\Windows\system32\svchost.exe{F81F30E6-12EC-62E1-D705-000000007202}4092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.680{F81F30E6-12EC-62E1-D705-000000007202}40925100C:\Windows\system32\conhost.exe{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.680{F81F30E6-0B59-62E1-8100-000000007202}29606008C:\Windows\system32\csrss.exe{F81F30E6-12EC-62E1-D705-000000007202}4092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.680{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.680{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-12EC-62E1-D705-000000007202}4092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-0B59-62E1-8100-000000007202}29606008C:\Windows\system32\csrss.exe{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-1286-62E1-C705-000000007202}52841104C:\Temp\dcrat.exe{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF898CB220F) 154100x8000000000000000331416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.673{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Administrator\AppData\Local\Temp\2\EytbzjvRWh.bat" C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-1286-62E1-C705-000000007202}5284C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000331415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.664{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.571{F81F30E6-0B10-62E1-1600-000000007202}12922168C:\Windows\System32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.430{F81F30E6-12EC-62E1-D505-000000007202}50681604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-12EC-62E1-D505-000000007202}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-12EC-62E1-D505-000000007202}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.211{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-12EC-62E1-D505-000000007202}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.212{F81F30E6-12EC-62E1-D505-000000007202}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.195{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD16C0673F667DC0F60A123A95A60B2,SHA256=6442BA45F35C6561FA6633EA82A51B17749FF6A9CEE52B4C04CB7F8A07AC33E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:52.907{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D88DBF622E327B1240A74BF7BFAD9E3D,SHA256=E169072FFBD6A3C68FD62FC2B36C1BC3C73A206091E9F7C1303713844CB696F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:52.422{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D6A3134376A614C36418778E440305,SHA256=D757F82F4FD55016E9B97761DCC6900676C22E6C479664C5BCBCE14C82471C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:53.852{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B95A6495FE0D075EF8C91AE21163CE9,SHA256=6C8175E57FBAA250167ABDAF8C030FB05420375053D77921F8CBACE4E66142E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:53.852{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C99C6A2AE0BB212D5466FFAE569E1F9,SHA256=CB45F3518B4F455187F2D6519D719CEE4FDFECCED2208AECDCCD5F9A7AD50791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:53.516{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C45759478257595BE7E883AE4179D5,SHA256=2D5862A817F9DE33B492294FFF3A4F9EDDEF9835AF13769B757061AE212DAE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:54.930{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43D858F84C1F3E5E2479757D3DB3554,SHA256=E74EE7AA55806B614834AA39228601AB3EBFC1CF9EB9F05772412E7C52FC5B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:54.610{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C121D6F12A2F03F9D13B5E725A1A94,SHA256=F03D62A6AE19A77E5079D2F984EBEA6FE7C87228D6CCA229918F8571B482382C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.290{F81F30E6-0B0F-62E1-1000-000000007202}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local123ntptrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61025- 354300x8000000000000000331441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:51.290{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exeATTACKRANGE\Administratorudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61025-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local123ntp 10341000x8000000000000000331440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:54.820{F81F30E6-0B1D-62E1-2600-000000007202}25362132C:\Windows\sysmon64.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:54.820{F81F30E6-0B1D-62E1-2600-000000007202}25362132C:\Windows\sysmon64.exe{F81F30E6-12EC-62E1-D805-000000007202}1348C:\Windows\system32\w32tm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:55.703{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5357AD715F8F887502B75608DDD54E75,SHA256=87851741E7460C442FE95462C7AC02B341BF90FFE8DF942A828BF91064A3651A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:52.428{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50086-false10.0.1.12-8000- 23542300x800000000000000083353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:56.797{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D5746F7426A1AE5749D1BC7DB2B58B,SHA256=7ED4FC7AA56D76D5CB8000160F3F300C9B24AD62A24754ADCCB34F2B20D714F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:52.679{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50262-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:56.023{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE0744BE49002CDCE370022105FB29,SHA256=B9EA7374EB73AB666B8FB52E9DFC2FDCAA9E13E295AF44E73DE91AD808F0D419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:57.891{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F166484B8D40637BAA04CB9BD65F368,SHA256=DBA73E0822FFE343F64C2EEE10F81C44133187E2D506A67E275CFFAAD5580620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.899{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.792{F81F30E6-0B10-62E1-1500-000000007202}12241996C:\Windows\system32\svchost.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.792{F81F30E6-0B10-62E1-1500-000000007202}12241268C:\Windows\system32\svchost.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.792{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-12EC-62E1-D605-000000007202}1760ATTACKRANGE\AdministratorC:\Windows\System32\cmd.exeC:\Users\Administrator\AppData\Local\Temp\2\EytbzjvRWh.batMD5=DFAC0D56C6042216064B440DAED4A82E,SHA256=FA00CE28D757BA581E7B46226A484C99C3B19A65CE4C9086C4B3AB34C9795946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B59-62E1-8100-000000007202}2960884C:\Windows\system32\csrss.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-12EC-62E1-D605-000000007202}17605468C:\Windows\System32\cmd.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+1b13|C:\Windows\System32\cmd.exe+c9d2|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8ad9|C:\Windows\System32\cmd.exe+6fdd|C:\Windows\System32\cmd.exe+11a9e|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.763{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe" C:\Temp\ATTACKRANGE\Administrator{F81F30E6-0B5B-62E1-E402-080000000000}0x802e42HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-12EC-62E1-D605-000000007202}1760C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Administrator\AppData\Local\Temp\2\EytbzjvRWh.bat" 10341000x8000000000000000331447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.758{F81F30E6-0B0F-62E1-1300-000000007202}965248C:\Windows\System32\svchost.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:57.117{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B5ACE9BB182BFEAB6870B9F0FCBA08,SHA256=A8E7C41F5FDF496EA9D8B19F76BE6020F802CEA807C1EBA299EC573E46107D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:58.985{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219C0F0784D1AEC11496BF494DC8B79A,SHA256=34AD2033B6E6FB6C736225EAF7049330BA1E6C70AB36FFBA0AEF3C78A3311F02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:58.726{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:58.726{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:58.695{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:58.226{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5C949EFE364176ED5913FBD2B5A507,SHA256=F1616AC3B6C9B58ECD14CBD8BE3001E0B2594B4AB666F49030344F300ADE8170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:59.320{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CD6E2F60DE7D5298F6E479DDEBB99C,SHA256=618241426DD8415A2A2A937DD7B371710CBB1F16F430BF08FABAE64F153CB78B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:56.304{F81F30E6-0B0F-62E1-1000-000000007202}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local123ntptrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61026- 23542300x8000000000000000331466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:00.523{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFED27286FEFBF514B12C4D092FBC57,SHA256=684933BFD6209416D714A314CC02DB43E94084A5EFCFC326496490DBFEB76F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:26:58.303{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50087-false10.0.1.12-8000- 23542300x800000000000000083356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:00.078{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8ADE5D29A365A310BAB6964C8ADE7C,SHA256=ADDB515C8B9D1100BF872FAF9F2A57FC24562CD00008846BEA5128DE1783E0D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:26:58.648{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:01.726{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E18E262F480803787AE3A46F740F76,SHA256=018E64A45BC5719934A60F7D4775093EC6EDB895D60E0E2AD80AE8CE118AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:01.172{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40603E19FBDC67E805CB798E0C92594B,SHA256=E46D8BC08E3AC428B73F3D4BEBA1703E93A8EBE7717C82110F505BAA1A791BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:02.820{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8497B3BC7C94BE125DF3CF3BE7BE6D8A,SHA256=B966E21F22BF5EE0547AE2E5904CE3E347CFCAA9D72481C17336B6B727B1552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:02.757{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E6DEB27A4336DF46DC50F8601EDFA296,SHA256=5BA0BBA05986A42D44950A323A0093DD369C98DB9F3C0459268BF3D4B31D3A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:02.266{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B088E3E8820C2E32DC5D0365C6873A,SHA256=98D46E5881460D8DF18F8A4EAB8F30801A23EF4FCCA63EC1408103D2E2F8910F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:03.804{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624CD881AEE92196C9285F2CA2FCECBD,SHA256=40E3C0670998A73D5604C5A3DCB1D389C2960ADB7590C5138A2FBC3AEB48EEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:03.360{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656622F13A8BAB72DFF8C50D6AE122EF,SHA256=2EE069C96FB9DC7E87106DD36B08FC2A6FFA670E604F3455758D7CCEB48AC4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:04.898{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CFDBC9FEC138423925C53EDBE745B7,SHA256=0682B478FD266E14EA0664488EEA9DA41A7A028D7CEAB277AD496E8C4094D55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:04.453{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0840E884E4A9F75BD773D4E4D6FD397,SHA256=57C4A5AA33A0633635C0FA10BE0252EBFF995E2E300B3E0D2BDB549303DF5998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:05.992{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A19588DE4A64120003B5D05D7C11F1,SHA256=D5E2F43298605523F7EB6AFE517D53BB36C91A61BE71DB0A5EB3ADE66E28F3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:05.547{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F1AB21CA2C4EDFE510D9BC9856D35C,SHA256=6B27107EB2250DEF14E4F4565D227E4887A500765FDBF9A2F31F74497D916814,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:03.350{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50088-false10.0.1.12-8000- 23542300x800000000000000083364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:06.641{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75B5836B766974364A9A6AA19BBB99FA,SHA256=4DE3844CE8579FEAD874C57D1E30B0F1DAA70204E72EADCDA9512638E8724EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:06.641{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0EE189EE5613CDCE2A8A85154A2C16,SHA256=4220637FF18E48EA2C540A665644A0045396EF2969F05237C986A65EDE306983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:07.735{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71C072D80D5CE81A8B02376FD70D99C,SHA256=F4F350C85E46A8D6FCE0E2B9BB43A06C6E89352CE669CC281408AE71AF303248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:07.195{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-12F1-62E1-D905-000000007202}5216C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:03.710{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:07.085{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8E427B0549728391FEEECA7B476518,SHA256=200D04DF74B4512FF6DF8683493E95E5D7393E9EA5DDDEE44BB7E83476162887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:08.828{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53BB9CFF17782A5C6605F46A0672028,SHA256=FAFEBECAE1227339F8F26A747DD67B8B3C6A54D6526BEB47A5ED0D57A2E289D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:08.179{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416169B4F9D5C09F075D5C053A465071,SHA256=11C3BE2B1DDD0F497DFD45AB926D86AB20EB36D21A21F62AEBF971C493F31BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:09.922{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B422FAE1010AF20F7ADE18C87C42DC,SHA256=F2256C8FEBFCAE6487F1544E2A95E51DF645E9BFF552EFEA643D6BF32C70DB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:09.273{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A95FFA975B5E270714C800771817030,SHA256=A62D0DDD58DC52434008F9944ADCD0D59D8D67B40105605A114FCBCAEA0D7D13,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000331478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:05.788{F81F30E6-12F1-62E1-D905-000000007202}5216datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 23542300x8000000000000000331480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:10.367{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AFDA34CF07D608D44CC256938F5D71,SHA256=F52516A1EE3A7B2CF23E7FF00461DFF51504A60638DC2B8BAE20E9D4CBA70C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:11.460{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850D00F236BBAD807A9AE48B8A1DACFA,SHA256=2717056766EF6CE72D5B2D47A9996BC70558DF7F9A58B5500EC7BEDA761B6AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:11.016{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4725F459CE7637F0FF0092AEC0D8BD,SHA256=70913D237DBC41C7637616BF73B04C857F183A56FD80AEBEB38B78154A75ED7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:12.554{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD2D3ACB8ADF32B45424FE23AA4E9E5,SHA256=EF5E6C7E2A1C79228C18AEBFBE6D0FB6EAE3790C0442EDB1B7F1B4E232B0C3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:12.110{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0513F4EC760F5D90634613EF220FE9B,SHA256=96EB8FABF97F4DAE83C6BF6067096A36C0B0EB15C86D6945495EDFBFBFD17F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:08.804{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000083370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:08.412{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50089-false10.0.1.12-8000- 10341000x8000000000000000331492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1301-62E1-DA05-000000007202}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1301-62E1-DA05-000000007202}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.726{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1301-62E1-DA05-000000007202}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.727{F81F30E6-1301-62E1-DA05-000000007202}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:13.648{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D5258C245F286368BF85D3F74C33E9,SHA256=BE0D21497DE95FF99E261D4502EC878BCD83DAFA08EE0FEFAAB7886FD3DE42B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:13.204{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6759F4C79C93F821705D0CA16D538A,SHA256=9CE776A44D511F1038DFF8AE80920D542C3E7C7A440585DD30D37FD89D91B5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:13.066{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220727095323-032MD5=01981A41A7FA64D01C3A36AB72844534,SHA256=A596D5DA65530F5A35DD48212239B05D1A6D10867138ED42410A832D159D4E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.788{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2BDC6F284E63A100ED7167F17CCBCD,SHA256=9461388D420E4DF62227F65AF1F314BDF68021C53AFBDD0BF96FAFFEEFE211FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.741{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DAF2DBA074B5A178DBDB82B76C606,SHA256=B3EF127414442E417294FE51291E172DEEEB5A734D9DE4699D8491CCC09F256C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:14.296{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4A7D44F142ACA5D9CC34BE599FD18,SHA256=9094B0AE7B09ACE403BA6A27D784DE92932600B3B07D67179E7AF09F59B2D837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1302-62E1-DB05-000000007202}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-1302-62E1-DB05-000000007202}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.226{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1302-62E1-DB05-000000007202}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.227{F81F30E6-1302-62E1-DB05-000000007202}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.007{F81F30E6-1301-62E1-DA05-000000007202}13085584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:14.079{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220727095321-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:15.835{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A0AEBFB6F39F9AF5C4AB4179F8DA29,SHA256=99C6F328F89755E2572772C3BCE2D8F297548C66D27F11BCF3117A989699E06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:15.391{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7249BFFE2EF186EE3401E5C778B09344,SHA256=C11AD5A4DFE7887C3C1FA427049FA9E9487BEC9FB7F9E860F8EA7D561EC64541,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:14.413{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50090-false10.0.1.12-8000- 23542300x800000000000000083377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:16.485{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E945EBA0954CB120A82CBAF9B884E,SHA256=43561008231612C2C246C62569E64A7849E7641E5E5C3A42BF2AB5375EA09D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:17.579{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21923C39F0C36F1C407A2B2C3DF771DB,SHA256=82288F8C5909DA67AB41B4F3C6DDD2046EE14BAFE36F89C9FCC12362413621D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:14.601{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:17.038{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A81CCC5745FCCDA531F523A7E9E95A,SHA256=2E64A881C4283ED5A8E7654A67991C1A4BD07E3E50CB06D87FCF8812DA60E5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:18.673{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039F5E3F8A6F5108889B99AB5ECE7823,SHA256=EFF9F4196E47EA47AC1BC8CA1F6B4E40174B3B4D349A1CFB5D3E7700D050CCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:18.132{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676CBE581C4625D2C6244C9EC45ADD0D,SHA256=9618D629B53B0DEA37FFAEC54A557D6793771444D960CD0227D4646DC9FB7FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:19.766{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F82C8E42766C1EF4FF8FAB85F24E05,SHA256=0492E4E6762B277DA101A371D7DD9152C379F92EE2D4F239EAB9996300D4C46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:19.569{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3363C9051E3DD8F72FA23F136762B80C,SHA256=6F94D89FC5A46A30B07FE98EEDEBEAC348ABF62C18C1250C01257AA96B7AC450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:19.226{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B2A1A1C7E06F5A227981E12468AE34,SHA256=3302324A130FD9E55D4AF17F855A0C5357369139F8E9BA713ECB287C10D7B6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:20.860{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548D7881F778E06E066152EEB15F4533,SHA256=5D90217DE9AC761A3BBF836742267E98DDBACD608375875B7CE899DAF76892CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:20.429{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6574AB6C847611E9E81366938C0A59C7,SHA256=5C004EBA395FC023E685D022DF842360B483E407CF281C95D5D546062356F9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:21.954{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53D3F136022EC3C08CF673F452B3526,SHA256=810B2351E51EC704B3CD1E0B804AEAF3A48B90FC1B19DF047918E203AC10665B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:21.694{F81F30E6-0B0F-62E1-1100-000000007202}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9133746D960461B0CF043D706BE48656,SHA256=0C37276807C3C4C0AE87630B7C858F27B08A1FF8B8668BC3BD4CFDE0A99DF437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:21.522{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0299B31ED9DAB14CD68129236069FA81,SHA256=1648FE17B8A48F4BAE55F329164476DFA19C77959E33C89F253F066BC05FAF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:21.485{53069400-0B10-62E1-1100-000000007202}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54930D8098800E396B6DB103AA500973,SHA256=5FA5F88DC1F21D57BE46124F13BB8F03ADE03391D4ACEF8A67AF67E9E72FAAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:21.438{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000331523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000331522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001f3c85) 13241300x8000000000000000331521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a19b-0x13573841) 13241300x8000000000000000331520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a1a3-0x751ba041) 13241300x8000000000000000331519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a1ab-0xd6e00841) 13241300x8000000000000000331518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000331517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001f3c85) 13241300x8000000000000000331516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a19b-0x13573841) 13241300x8000000000000000331515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a1a3-0x751ba041) 13241300x8000000000000000331514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:27:22.835{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a1ab-0xd6e00841) 23542300x8000000000000000331513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:22.616{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898AB5BE4BAAA767FBB051CF657CBDE7,SHA256=75DD4E60A237D1139DACD865BA32381477E2807F5C29F0E1364B09DC82DC0FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:23.710{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9361EBE1096C3DE546A736804E96229E,SHA256=EC107B8CCCE62C7743D4B2B69F468FFF45F6C77FE79BEA0E6BCBB85D870B97BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:20.694{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50092-false10.0.1.12-8089- 354300x800000000000000083387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:20.428{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50091-false10.0.1.12-8000- 23542300x800000000000000083386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:23.048{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B21EAF2D8612F559F53668969DEC61,SHA256=613A760B584C0552CA12DCA2D185BF8E016C7BC9854C66276845D3DEEF5BD692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:19.773{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:24.913{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2189B306DB0F87B9A455E7B3BAE43751,SHA256=182AB7527F323E06E8A19484EC0083A0A595C99D8F077096DA30F1C1B635F17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:24.141{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E625F190DAD25E470B0329DD7DF641D9,SHA256=3444C585B2C7B78DF3F7B41F87331FE36971685D87C0F0F428164D136BA79C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:25.345{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38C3784B53DF9542AC870D20DDA39FF,SHA256=8839E39DB7ADDC11F0ADD8FE8D9304982194ED9C59EC9CE53CDACD39BAC4C2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:26.438{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEABC5366535AD1CA276CEFBF0260820,SHA256=D57CE98172F703C4A72E59D4AABB57BEABA92082D8AA8B05F22812E2BF7A15AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:26.136{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220727095336-032MD5=99DFBF69F36DC84C9E4F055F96F6DBEE,SHA256=5A6F241667B5803E3B22FA8E48F54177002A808F58B64D76EA864214BBAFB413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:26.117{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330AF8234A305F82F2BA8C582D7A9489,SHA256=F4E6DADE79AD2ED07174CF4B658AF8A085C7E5E1127FDA5E1A9D76170247F9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:27.532{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546D0E52E5C2160E6E8EC2756D54DCA2,SHA256=C116A4E9F7FA5659B3313A5CF27F0B80BAEED02859D7B723B573B500042FB86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:27.209{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94874A17F0AEF8E17740999DE627B366,SHA256=13E5D35BCC8CFD1AD298811C02DBEA8FA279120AD75A4805C17905FA4C4DB468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:27.135{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220727095334-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:28.626{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3120420F6F8B76C0B3A8A5DC06B18A03,SHA256=901EF21293CC8BAB14878DA4F5F42B4C34B713D8C99FAD66E955430E4787B34B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:25.788{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:28.197{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BB1BB3BEF8E0868877EF3A2E4C216C,SHA256=A36FFD1E80993548CF4986C717FF3F955D438814A57A48C679C9C7762E06401F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:29.720{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5230BC8F9BDE6982751A85E5B0DFACA7,SHA256=D9ADBB9E324007754A4BF844D71C3C8DB8115D94ADD6EF867E3C209AA62967F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:29.291{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81C05085775C7F8FCD849C9F09BEACD,SHA256=769401156D740411E1C03690C32E603692199861717ED3965B55C9E4B9EB95C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:26.381{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50093-false10.0.1.12-8000- 23542300x800000000000000083396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:30.813{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F72385284F5924A464ED4FE842F7D1,SHA256=BE5553583BC867627BB244A20EEB5FCA58395112F838370ABB3EBA8A8F9E4D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:30.384{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF72CB1461A822CCE8597EF12CECC85,SHA256=4804606741D665D36748189F64D7AD486126028A60535D30CDE45BA741944933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:31.907{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75697CBCBC313C4CCDFF266E372FEFFF,SHA256=3167D6E9D8CA35DF3CBCFCA993E033978C96D909EC186B13C576659F69A790AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:31.478{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C115C0F490058FD0973FE76955EB5D49,SHA256=48CDDEBB6D23D7313EE9487D9BFDE14F8F5C0BA462FAC2D538F7EFB713359FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:32.572{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFC5D8F6659ED845D751D8E7DFB4703,SHA256=66BEDAB5E9009EB11194DD1B98441B485437E63A3E35E16168B24185807656C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:33.665{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140E2F672425EB39F4C732239F29E7FD,SHA256=A13B317F110C40E8049C64AF7E573A52A85D48EE9C72FD0F3D95ABD5E1DCCB10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:31.506{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50094-false10.0.1.12-8000- 23542300x800000000000000083398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:33.001{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0F3B55B971967262263AE2063CF529,SHA256=DBA55FF95FACD982088D18D29A849A4AFB1C02EDF2DCDE40283F9BDF7FFC5D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:34.869{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A84860E8500A8C7A9FB0121223EA182,SHA256=6729CEE1D39645B56783BBBD949D31C483E8F58041C0DD2CAAF868E0CB29730C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1316-62E1-7401-000000007202}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1316-62E1-7401-000000007202}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1316-62E1-7401-000000007202}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.673{53069400-1316-62E1-7401-000000007202}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:34.095{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C558EF86265DAB5D5969D7CC48785869,SHA256=9FFFF1DF95E4543F0987700A95BE8A594C7DD3CEC1314D6028F8C8FD8928F68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:31.807{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:35.962{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA47E853FC519BCAB1B28EE7A492810,SHA256=0C8F9FE370CB6CAB9C092ED3FA13810022A460DC05AAF0D82FA7A70FA283595C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.813{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B567040D83822E191D35BC0CFFABE8B,SHA256=CE4E8084F872EEE25E7A76DD912D1E9450C3E185E64A23B520999416AE796E19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.735{53069400-1317-62E1-7501-000000007202}2452100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1317-62E1-7501-000000007202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1317-62E1-7501-000000007202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.563{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1317-62E1-7501-000000007202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.564{53069400-1317-62E1-7501-000000007202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:35.188{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D15AD4793469C7AE1BCBE25299A0310,SHA256=CBA9D550636F2B259EC2D61ECC59D1BA37E478FC31AC73C7C360255F00C3E84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.891{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4C16D36398AF125E7B59A651CD59633C,SHA256=A35FCB4BB89429A002353E631D912038104C845F2AFE597F428CBFACAA41CB0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1318-62E1-7601-000000007202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1318-62E1-7601-000000007202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.735{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1318-62E1-7601-000000007202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.736{53069400-1318-62E1-7601-000000007202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:36.282{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FC8D22842FF9149AEF21F333928C5E,SHA256=10C401194C2787EE36ADE0366CDF77950118AA99E0494F0CAC04D0072AED79C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:37.376{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126447B79EB0C9A28DF44CFE5AC61190,SHA256=CA0514A37E9F253C623134C57A52F6F26C905DCE9B24312E629A05D22168F2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:37.056{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0703025416E4A8C054439E2092DAB09A,SHA256=97662431C74A0DD7EEAE7C8BBA3ECD8BAD869B02DABBE94A621B9A89FE47330A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-131A-62E1-7801-000000007202}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-131A-62E1-7801-000000007202}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.970{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-131A-62E1-7801-000000007202}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.972{53069400-131A-62E1-7801-000000007202}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.579{53069400-131A-62E1-7701-000000007202}3524816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.470{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502F2CFF9345639D04FE91707E7227A5,SHA256=255C0E9C60358F92F599191AFD2F3D27E0B1C7BB888B57736DBBAF04D8DFD7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:38.150{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF138ABB89292522C7186871511D8CC6,SHA256=255D4EAA511D534E587BC0E870ACD852CDAACA3C1134DC18F023B6A29F88EA9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-131A-62E1-7701-000000007202}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-131A-62E1-7701-000000007202}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.391{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-131A-62E1-7701-000000007202}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:38.392{53069400-131A-62E1-7701-000000007202}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.641{53069400-131B-62E1-7901-000000007202}27643596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.563{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FCE35F1A04E9F68092E1C7B96BF837,SHA256=32A5FCBD64F26C2862C98564390C094E7AB711DF5B25C00A5CAE0AF418373126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-131B-62E1-7901-000000007202}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-131B-62E1-7901-000000007202}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-131B-62E1-7901-000000007202}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.470{53069400-131B-62E1-7901-000000007202}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:39.243{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27982968FA6C3BDA2AA08649FE2EDA6,SHA256=AE0467333A5E6843A1B43C53C7204E1927EB128CBC8192E3BAD1CBA0058BAFAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:39.204{53069400-131A-62E1-7801-000000007202}39083068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:37.288{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50095-false10.0.1.12-8000- 23542300x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:40.548{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0AA3015FBF7638EAA5ADABC5795999,SHA256=EA19F42C2D0809487893F51282BD7A5041704878F3E588733E56CF0172C535A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:37.635{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:40.337{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0038BFEB667F3B0FF7B90E49AA7E50C4,SHA256=CE01D6A8C9093810DA2370784FB3509566432C9929DD2CD67963E72A4BA95F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-131D-62E1-7A01-000000007202}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-131D-62E1-7A01-000000007202}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.751{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-131D-62E1-7A01-000000007202}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.752{53069400-131D-62E1-7A01-000000007202}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:41.641{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47359CA42DF65A1C2B886B3FE89EB4FE,SHA256=2A395F6C42C06B30D6F50FF31AE948775358027EC34BA0228744E41E544E8991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:41.431{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC5F5C877681B01B0B5CF34C2FCA765,SHA256=1327099BC668786A6ACE6C8FBA62CDBB080057EC3C4A5BE697D46666E329F168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:42.813{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B49595891FFDAD21DACA718E6F50D31,SHA256=6515198C570117B0FCB8F3D5F28F25570436B9229C4984518B0B3DA932B8A4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:42.735{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C30E96B21DCB4A70A0EC9B1BE7D1A9,SHA256=DA9D7C8B5DAADA8AC1330046E32C4D406D4E272CF15374997A9261826EA7FF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:42.525{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5DB6C851757AE50699644C51A83A8F,SHA256=5C4DDC2B49BA9569D1E9BC974D79A790C371680D1A3498C24E41C7D6B951F2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:43.829{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421A202F2A8D89855D8E5FD806D0D32D,SHA256=AEE5C8D3E1CDCB456433135E2ACCBA0915B95FF748B4B0E49E74DE66FB3ACDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:43.618{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8749F8AE4C7CEDDC593431160B67402C,SHA256=0BEE3BFD4492755C178ED8201B9FDE271A1FA9C85CE4FF250A3EE5E537BDC503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:44.923{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5BF6721052F37A72301CBEBFF197BA,SHA256=A658C69B48C5B5D73BD001E0EB8C06C502D41B0801ECEDBBA1BDA7479E0B09DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:44.931{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA288C816C85E675915B6CD0FAC9B6,SHA256=7CB48C7CE3DF643024BF0F3C1A3C6382688AD0A518465B1618886A18D2B435B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:42.507{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50096-false10.0.1.12-8000- 23542300x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:46.016{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B557E8F5CFB72AAC880F30826978674,SHA256=628C63843811EBD5EEB3EB8F4AEEACD70ABEB5D890CA462627616A433EA5E733,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:46.931{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:46.931{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:46.274{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:42.697{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:46.025{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1BFDE5788E2AD7F1E17E3C7FCC2981,SHA256=BC3256A5AF707C2E75F507289D73838B29A504255F4F2E20A21F5AB38D8FB46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:47.110{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481317970D77F2E0D5877D9F91D863A,SHA256=42624049964547A214B48C9742D69B7D6E672EFA6EBEF1134E05034E43C10A35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1323-62E1-DC05-000000007202}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1323-62E1-DC05-000000007202}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.431{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1323-62E1-DC05-000000007202}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.432{F81F30E6-1323-62E1-DC05-000000007202}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:47.118{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C1A967D96C60F792270CB0DEE43DC5,SHA256=D8C7CD9E226200CAFBC3DFA692493564BF6AF159BFC2E3EA34F37D5F82123D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.899{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=73510FC7E2F043FBB14666A40273B262,SHA256=62702F826FD93F958E5875BA129FB0DC3928E3D349DEC5CDCB797F5F5DB50649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.478{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DAE4855DA07BFAE94F84310701B64F,SHA256=F015ECDCEDC9A326E4F42AA09590BC742A5C24649B2C5658579B60510EC3B177,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.290{F81F30E6-1324-62E1-DD05-000000007202}16644492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:44.806{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000331572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.212{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F594F3FDEFCF5E0D5A4468AFE5AFE7CC,SHA256=121BE93A470E4A97BEBE2375811102520F6EDC1C8B3E934E61AE3A3BB0ADB173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:48.204{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975C573AB10376332A93486332BB38C,SHA256=0A1FAF59464CE04D256A95270509A65B8E305D7C6D9312B3C839E917C72F4E66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1324-62E1-DD05-000000007202}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1324-62E1-DD05-000000007202}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1324-62E1-DD05-000000007202}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.103{F81F30E6-1324-62E1-DD05-000000007202}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:49.298{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C72A5023640DADDC3E7CB470CBF4FE,SHA256=5E7C27EB2583DFFC784DC4AAC3B1942FF50AC3616EAFBF7413AD66582395D8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.306{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23FE9B41B73378DD5B4361357F29C7F,SHA256=AFD662344813DE3E044528E344A0F64E5D7C7531C0E97D024BB48D5BDEF67BB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1325-62E1-DE05-000000007202}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-1325-62E1-DE05-000000007202}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.274{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1325-62E1-DE05-000000007202}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:49.275{F81F30E6-1325-62E1-DE05-000000007202}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:50.391{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012CECFCCEB5FB68016E33F527CD85B,SHA256=8B1322E6F14DA378C85D48174471CC8111875E558C1B7387A8CC285BE4CBCD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:50.290{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CB901F7B571996B40C5EFA3705787E,SHA256=4075185F604EE20E53A5103463573FE71DB77102D1D8691363BF284FF03D6170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:51.485{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77A9CA13EFD1AEAC8C607A16D936D33,SHA256=EC62BE417E401D924C80D1B61B24133E63C99905A81C1A4F8FADCA2D6FD3C996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1327-62E1-E005-000000007202}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1327-62E1-E005-000000007202}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.994{F81F30E6-1327-62E1-E005-000000007202}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.727{F81F30E6-1327-62E1-DF05-000000007202}40485664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1327-62E1-DF05-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1327-62E1-DF05-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.493{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1327-62E1-DF05-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.494{F81F30E6-1327-62E1-DF05-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.384{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3DA156ED0E0FAEBF7D1500A7F04778,SHA256=1AE5B077FE3DA380A15575EA70D8E31344ABD8026AA8B16F922A703913FDE80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.088{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.088{F81F30E6-0B1D-62E1-2900-000000007202}2560C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:48.475{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50097-false10.0.1.12-8000- 23542300x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:52.579{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515BAF222260CFDA236D769C6748D6F5,SHA256=2A73B8535B2E8E12EEC24431D4B948F6962E46CCE9D9884AE36FF35248A8F7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:52.477{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E529604DB5EA031C5AED3442EC9B99,SHA256=1418C4EB758FC049E58599133A0A2FD1F3E73C7653C0D8C5E044CA45B94FC63E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:48.728{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000331607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:52.196{F81F30E6-1327-62E1-E005-000000007202}20962236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:51.993{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1327-62E1-E005-000000007202}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:53.673{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7DE1CF72685B62C2AC0D9722C25314,SHA256=8DBE076E2CB0DE75B6BCF78F7D7168E695538A382350F8E1432C4CB164D9BDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:53.462{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530BE082DD0A945B2038D0B558C1B0FB,SHA256=740E179E0DEA7C530DD376DD8A27C238FDEAA716A4BE627AF0812121F92DCA30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:54.766{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372B56D70A6A4ADCE4FC68862AD9A28B,SHA256=BC06A5E9C139A28E0639251FE9268547EC9B98D177E83FCC66A199A40A520D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:54.555{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABA1239A954CB5B9AE8ABC553084A62,SHA256=77574F73EDAEE74DF3663550487CAF9FE0672393E25066D7302D4CFF270C8ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:55.860{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5A04B82A7C36492653C3F92AB2604,SHA256=48E3F378308B895E0ACB5D4F90D2DCEF54E703A6BBCF88BDCABB02434A0C0721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:55.649{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E3EABCCB0087D358474F303726C83A,SHA256=A49132486E55C0FD7B4950BD4F6803D44334CA381F0678F7435015AA4151730D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:56.954{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82914EE46F9ECC08E5D2A675F560C34A,SHA256=28E04CD48DFA60C90F391A78213C110B7B20A823E6C4E4781863161C564A6D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:56.852{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293314D5D70C7F7FAAF2338B6A3E1404,SHA256=30BC79759F5DDA178A9AD862D3888A7E102C822AF163F80967096AA9687C9967,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:54.334{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50098-false10.0.1.12-8000- 354300x8000000000000000331613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:53.759{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:58.048{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197E91FC10EAA51D9B85532747FC413F,SHA256=64F762E9FD855E934C66E70E9FEDCB7B89591FFAA4718DF1623EBE99402FDD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:58.055{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5885EB1EB5FF2C1FEFDC080A0E713759,SHA256=A883AF3971660F32274FF0EAE1849DB20CD502F671862E581E6B1AF633648CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:59.368{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B13C8AF2E3F943026D8ACBCEA684034,SHA256=2144AFE4DDAE4E45C432AB29F83BFE9FB02B6862F03FEB9CA19966281D2AEF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:59.141{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450942A263AD6C8F0459563C83013C64,SHA256=6AA6B3BD974CF9C9F9B9E14AEFF49EDAE8977B5DD3E8F2791278A3BD7D6AACBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:00.462{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4515A0B543007734C86359C14C7145,SHA256=337CDA302BDCA8B5E84C62B639A5779DE330735FA9C650194360BECA45CEAEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:00.235{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064F0810113D3A155BBB39052B1FD00B,SHA256=0A41AB4A8DA5D1D991B4E3BE2D0EED714169863AF1DF65E7EDE909842887DE83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:27:58.791{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:01.555{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B42BF2AAC79BA77FBE4A30BE6F5FF9,SHA256=603516073D7F0B2E9843A7194D369BE2463FE00782309DB03A84D385A4429CD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:27:59.413{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50099-false10.0.1.12-8000- 23542300x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:01.329{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953514006921DA666874A8B57C727EDA,SHA256=C56887578C9DE29E95BB343709C3D7B26D42E9CBA1B71EA5079712B213E51872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:02.758{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8C6BD8A3061CF9180516FB13B03E89,SHA256=13F9A181CA86DF84746FB95F28387F1E017B78E13866B0BE6FC4E4222D6B88C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:02.423{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915C5EC23941CE051DC08535570A5019,SHA256=03CA77AF680169A7D99FE63AE4F31456B9925AE0DEA22ED186C7110DBE1CB61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:03.852{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961859ABBCFFB8796A996F8AFDC2D1ED,SHA256=C1885BC4B0ED0F901C0FE2D95FBADB668CA2AEE5310029536718C898C85BFE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:03.516{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C9BF514EA090CBD3A2F2E65D76759F,SHA256=6B26CF539030D8E7701A3828007045F5610AE808B4C9392990C22C2A592D714C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:04.719{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4E2259BE3F98BD65614A57553C8DD2,SHA256=A251260C027E7BEC172E10186DB8C7D1975470E3A695213D5FA4467A3531B89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:05.813{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7932C89C8413213FA581D679069718C,SHA256=E17FDBB9F93D5171E69CB2B7EBA4C3E3B7FF17A204C4430B288B68C43EF17ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:05.055{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1E54CE374EB0CE99C450902338FD13,SHA256=EF82E4CEE9AFD27C7DDEFE2E444292FF829B6642E06A0EE01516808EE57EEDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:06.907{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E9EAB281C9C82F07B8FCB3AA0DBDD9,SHA256=BB3429169EC77A4338C49F672C38E331B1068C84DB128711BB6A587435D17204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:06.258{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D537F627680FBD85589BB11B2E2C41,SHA256=EB5972D07AEA290C4220DA199AFF8391BA17DF0DEC24CE2DF866E2E74CD1386B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:06.094{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F95830FA14F7FA42136AF1417DBCB0B6,SHA256=C2886A9F032D8FA5FFD8FD6D51547235CA3C0A2EC2A5C7E78DA8AA5F741A04F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:04.760{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:07.352{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD749846460A5FF2A9CC0DC89180740E,SHA256=5F19DEBC9C7BBF092B7C643C94041AFF0E9999944A420964F7FCFBCB0CE28D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:05.397{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50100-false10.0.1.12-8000- 23542300x8000000000000000331626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:08.446{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6270DFDE9C4CD48FE08B7E846BF3130,SHA256=F80F2FA40FFA71CD4B52A4F5EE51CF9F383CE356702D7394198A70D6BD140F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:08.001{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3B7E7C8DBA71061C6F16058CE5BE99,SHA256=B8485FF94DC9BB3D92E8255B8D8C6195BD816326B3C59EDEC11B0A4578394214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:09.649{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C19AA116E97F65360CAD02A81597B4C,SHA256=5D31F64F9EC0F3BB95FF4C923B35D3CD3306DA1873DA5936872C383926B52728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:09.094{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4669AE8826AE9A2D56E0E3EC08A3E8,SHA256=A0FB42674CD74B05D619A22C3677DE0927EE0746076A45325E121C22D63B2124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:10.742{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429274F7C24D1D729A21F0B6B4DCF057,SHA256=93D7AAF9130FE7FCAC785538DECEDD48DFE3A86D1EAB61C4E97A7F8D912306A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:10.188{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DE2CCFD48CD59ABB28837FFD85F8CC,SHA256=83A0136817C18AF9F7F325BD8E0797A41710A072254A6DA6DD2C075C17540E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:11.836{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF993AF1E04629833ED1AAC1EC213037,SHA256=4317D0C79E1B66DFEEF484209AF88D5BB3285B2349094F1C72863BBE12BE9B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:11.391{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB09358093E11F00C0D3D82E7175CC85,SHA256=A6D7EEC5FC3D358B3135C8848262D221519BEEFA57D26623A3919D906FD6AA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:12.930{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A86584E7A8B509AB63A6BAF5DC7A57,SHA256=B0E1AF27456BEF4D30C8BC6BE1078EA97F66ECC14812FB52CBD1053E4D559CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:12.485{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718B98449697A4F1CB137680999DDA7F,SHA256=112A71AFD54AE376BE6DD65D2C5F3AFE46AE07EE75E096292C40F1F0A1920CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:11.381{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50101-false10.0.1.12-8000- 23542300x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:13.579{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3C56585BFF66AD4D84466EA86EA901,SHA256=D049BD7B45CFDA546EA3E89C7B5E4D85034CFB2D4D08C8563E66E4F204DC66CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-133D-62E1-E105-000000007202}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-133D-62E1-E105-000000007202}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.742{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-133D-62E1-E105-000000007202}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:13.743{F81F30E6-133D-62E1-E105-000000007202}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:14.677{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC8A472AAE17510CA91DC7BA86549A9,SHA256=9A8F4565EC2327A376676BADCE7965FD4948AD9334DDEA46FFEE352E9256E4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:14.601{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220727095323-033MD5=01981A41A7FA64D01C3A36AB72844534,SHA256=A596D5DA65530F5A35DD48212239B05D1A6D10867138ED42410A832D159D4E1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:10.697{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.867{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7720BE023E0ACF9F4541C33A9226EADF,SHA256=9938153A7E1B1C9703FB2994F1814F51E67596A7A49E6D101C43DDFFD333B2BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.477{F81F30E6-133E-62E1-E205-000000007202}16161028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-133E-62E1-E205-000000007202}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-133E-62E1-E205-000000007202}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.305{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-133E-62E1-E205-000000007202}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.306{F81F30E6-133E-62E1-E205-000000007202}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000331640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:28:14.274{F81F30E6-0B0F-62E1-1000-000000007202}444C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a1a3-0x9409cdd0) 23542300x8000000000000000331639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:14.024{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B9EDD82989C7E201CA988CD0D4401C,SHA256=303A21C6E8CD6630E4CFF6D49A396EAD4061944041AFF2DF0956F9C4AC226C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:15.659{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEA8481CA186142DAB2576185724E00,SHA256=307DDFC84B13224A93FDF6D6A1CBCC6519AA8ED204142A54EB0957CD0BBAF2FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:12.790{F81F30E6-0B0F-62E1-1000-000000007202}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000331652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:15.227{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B4028EED2911F9309AD42456B2A26C,SHA256=5CCA6DDB4886288AB2B11184B0703524D6EB70A519D0F46D2C9C742F16308B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:15.599{53069400-0B11-62E1-1E00-000000007202}1976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220727095321-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:16.754{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A4B88CF0553CF5F2C8FB34B2FDAC95,SHA256=1A01417B027679FCA759120BCF9E8C70F82FABFA6B6A7BEDC651DC9F9B15FFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:16.320{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130612AD7815EA0B6194113B5D9627A2,SHA256=192C44EADAE9F7392DA5A527D8E4A09BCC120FA1BEC11153F9EBCEAE42328006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:17.848{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BAE1DDC243D0D6750F210CE8D24176,SHA256=B40D1AA89A9ADF22B9F0DB02F025F9CD142CCD00B4376FAF424080BF15AC9F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:17.414{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D884A698F19AB5F1694ACB28C9CFC9B,SHA256=5577DB7D0C164D2AFDA2F23036438930D05F4E52B64D58BFAF7308DB04609096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:18.941{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F5253B85CD4EC9EC580258A9C46355,SHA256=93D006E26192BFEFB231B919245874953DBD9E271D7BCE9F487392DCE856A8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:18.508{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2321A188EC2BBB28522608E9D67042,SHA256=9F0D7049477AFF3DA431F39BD99A62206924792C8500E257E46C8F46DBF8B6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:19.820{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A782D542141391298654845CAB9A0BCF,SHA256=022BFA084FF72FA4A6055A86892F2BF1DE2763CD1FB38B1257BDA6251EA4AC97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:16.415{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50102-false10.0.1.12-8000- 23542300x8000000000000000331658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:19.211{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5AF95407B73B1DDC4A3DF94A98A35E23,SHA256=625C87277200E2A564561D235A6AA9CFCDAA1BB9318147C0B8E757E47BFDBB09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:15.806{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:20.914{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD83F416FC2FCC2A1459D503F1EC79C,SHA256=7AF6DE61427FCB66F5CE2270207513D4985F9E9D5645ADBEDDA697DBA0D1BDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:20.035{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AE7BEBF723C851523D44E942C95FAA,SHA256=E0C117F6A8AE9ACB1F915628AD0D32A96199FE829AAD1A06B9DA370C2EC3C5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:21.488{53069400-0B10-62E1-1100-000000007202}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9A1B010F5AA37F2536F03DDB6AF8B95,SHA256=BF816415D764211A6937EF82CF42D13650F549CCA3508830F5BB8EDF00CE0FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:21.457{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:21.129{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF62C59A58B3F4FB0BDF09EA72418490,SHA256=8E58A0B1D91288EE079F33DB5F30A32B0A506742350A84485B770D7B8F582B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:21.695{F81F30E6-0B0F-62E1-1100-000000007202}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=112FA6226C9E35A0AD3E8662D5FF6121,SHA256=51FE572153D50D4F4BDD87F26EEA20DB0A2F894D37C912E5CDFD9EE3BF939BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:22.222{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A760FC05A2D792A0F9AC8B69E5795EE,SHA256=2601E5B921315054C88F98CEE65E07043A713BCC23CEEEA73DE7B6328351C8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:22.117{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7516917BF548A23E5C14D5D62FBF76,SHA256=4011BD01D92A4AFDA1EA257865EC67DEFC312FC93A43AE785D564359E154F708,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:20.712{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50103-false10.0.1.12-8089- 23542300x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:23.316{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303DD25E2CC17FFCFAC7254EE3DD3DE6,SHA256=6364F4EF6AFBE66F88FC4C3989CEED08342D39025CC1D23225B3378AD80ACF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:23.211{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F859D5A0DEF977D94D6A4C236AC398,SHA256=ABDFB27CCBE4FC613B0386BB5FED4DB540BFB1304A91BCECDBF8EC5EADAEB113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:24.409{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B13FCFA939268ECC736CE0A6079CA9F,SHA256=728C85A93220D8BC98696A809221E1DE79AB11462121E07523F30CF27E7A298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:24.305{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E27ACAAD0EDDA2E95F5291E1EBFC09,SHA256=EA4210F0D1071C71919D81FBD89B47830BD148A6716583C6DED812F85758E01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:25.504{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017C29EB33F549DABB821BC14798246,SHA256=8653DCD5AEDFC53F2B7CBD2C07FA73A6FDEEAF8B66122497B722DFAD7F801A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:21.603{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:25.398{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0FBB8917888975F5C2120F5149314A,SHA256=3AFE56867BC23DE8C699AAD8C80415CEC3B6D08F5409D0363AB5B405229EB886,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:22.384{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50104-false10.0.1.12-8000- 23542300x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:26.597{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A647E868751748221848E078619CF17D,SHA256=F2AADC1766033AA7810B965A28784B5867F31C9E41728C5C1282614531D204D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:26.492{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575E14127309ED1CBE8A36D7F27ECA63,SHA256=0723D45C434316A4E9F02A511C596A0819D1EE6020178F065791CBA4A9FF522F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:23.487{53069400-0B13-62E1-3A00-000000007202}2680C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50105-false169.254.169.254-80http 23542300x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:27.691{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8609D7805A8AB15FE7825D52FEE56089,SHA256=D8E315E444636DE0E671B19B005F7F48E0664B12486996912A44A38F41BF38BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:27.691{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD1F5626B46630F9AEF404CD42B4BCC,SHA256=9917CAB348715C2F62D76BAA3D1BFF2CCC46593B976E8DC4BC1BB3CE41B31369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:27.655{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220727095336-033MD5=99DFBF69F36DC84C9E4F055F96F6DBEE,SHA256=5A6F241667B5803E3B22FA8E48F54177002A808F58B64D76EA864214BBAFB413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:28.785{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6FC1A380B1F554FE1DF17F49774DE0,SHA256=20845250B4F286B28FD5B6C8FCFA53EB36C09631AFB79FD26DD3DB25D716FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:28.760{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67358CB42EABEFC275B95A9A20DD7BBB,SHA256=989F6D3FFFFADFB22451C4EB4312EBC31F7433A29D1E5A192143FBBFBD069828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:28.654{F81F30E6-0B1D-62E1-2C00-000000007202}2616NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220727095334-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:29.879{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348D85EB6AB5AA56E03B93923BC9BAE,SHA256=9FFC297CFB57F991C9D055DC70C32923B279CB7C7E04558FBB1CF28C4A33A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:29.970{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E072342EB991302B950DEC462CEA5BBE,SHA256=D86F5FA601EBA0E5B91A177D780988EAADD5DA157A36C3310E4C3CA095C8CDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:30.972{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBE51F1370DA34B25E8C6964D6A563C,SHA256=784324C51FE1941739A54EB0C0AF3B6A30D3541E544CB7C1E5B820DF0FDF6C29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:26.654{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:28.290{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50106-false10.0.1.12-8000- 23542300x8000000000000000331674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:31.173{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F0A6B14D087788CC5C9D9FC0F130CF,SHA256=DEBDFD246DC62DEF9771FBAC6E5E9D91286035D1F4E3BB16C7F6FB7C338D0244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:32.066{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58EC3A3CF7964D42D736E8127D567EF,SHA256=C48ED2F8822984E6B219A73B0399B10B33702105264760EE838D27FB308177BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:32.267{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ADB1E9E24636A09C61DFFD09297376,SHA256=277F506C42096106768423B9A3092DD970B7EF67DD8FD2CE83A51AF18DD09B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:32.017{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:32.017{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:33.160{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA197FD4F4304997C3F8E282B10119B2,SHA256=C7E902B15C0A45F8A04F140B1B8F9FD3F38BFEEE46A393305DEAD9A6B9A7F09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:33.360{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0004B30C4CC6446673A70F025931CB,SHA256=C53FA460C5B460F9183C452929E0DD3EE3E2085F90673F7EBD81D2D26DA20270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1352-62E1-7B01-000000007202}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-1352-62E1-7B01-000000007202}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.535{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1352-62E1-7B01-000000007202}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.536{53069400-1352-62E1-7B01-000000007202}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:34.254{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3856AC24DAAD845159586F95BCD4D82,SHA256=F38BC2D3D6639AF98DBA9EC61BD60FCF167C73F524F89820C094B907A93470DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:34.454{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26869F3324F67F1A88B668E941EDDD5,SHA256=06AC554E836627362425D1D7D0FB31F8C07317C13638FB673EC8158B4B9B1295,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.722{53069400-1353-62E1-7C01-000000007202}3728528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:33.306{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50107-false10.0.1.12-8000- 23542300x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.660{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FBC6C39E709FBA5E455CA0A422B688,SHA256=7C52E8EE06D8D62838BBFC637CC7732775E03D7FE8961C1920A960DFC3C31CB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1353-62E1-7C01-000000007202}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:35.845{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1353-62E1-7C01-000000007202}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.566{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1353-62E1-7C01-000000007202}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.567{53069400-1353-62E1-7C01-000000007202}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:35.347{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1EAE82A62A00609947ACB01D7FACD,SHA256=5086C29BC943094BDCF0FCFD735FA89EBE8DDAF7CDE029618A16F007E79C3713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:35.845{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:31.784{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:35.548{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA94C4B19388AF68842D6DD7263541C,SHA256=F7C690C782CA6E3543C17914B24BB5AFF7C36C1E482BE748039CB43915A34271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1354-62E1-7D01-000000007202}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B0F-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{53069400-1354-62E1-7D01-000000007202}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1354-62E1-7D01-000000007202}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.754{53069400-1354-62E1-7D01-000000007202}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.441{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3191AF859BAA2731A42EBC4EEB700B5F,SHA256=167EBA6CDC2A4FA9E9D0E2751B7D441FA0A76121D1550890708056352980AD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:36.642{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8524DA6C21A26E737F09370AB9A4A112,SHA256=513ABA8120B68D8A9FD629D05C5F9B4011575556E5B2F662FC02A6D324BA7AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:36.301{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=028A6FE85EBB055246E6C715F3576623,SHA256=DF7E26799677C5DA25A907DE61C338FF6F16032E0B026CC7AC12B942A79EB0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:37.535{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90217759CD8C556B4F9E120F3D08668,SHA256=413FC7E7CE5E0349EC2D84AA82DC41A71AD77CC6F011D09D86730437A7AB0112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:37.738{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5548F71FCEBEC114462C59DE89C8389,SHA256=47CAF6D5E14AAEAFC8795253B5D1DC9A07787BC0BBEB90CDEC5ABB4C58458371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:38.942{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4EC4CF463BF9F808611C423F1AEF17,SHA256=E632A276B14B8FD29C2A16239E0B4800390C12DA99121FB2D87058EA66A453CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.629{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E23D5065FEF23C886553A242DC49447,SHA256=A699D769C85B8EA7223C51359E1B9843FC0BEC1ACE2B0857274450A4292585CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.613{53069400-1356-62E1-7E01-000000007202}35563540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1356-62E1-7E01-000000007202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-1356-62E1-7E01-000000007202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.394{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1356-62E1-7E01-000000007202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.395{53069400-1356-62E1-7E01-000000007202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000331686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:36.017{F81F30E6-0B1F-62E1-4100-000000007202}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50285-false169.254.169.254-80http 10341000x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.926{53069400-1357-62E1-8001-000000007202}39242024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB473091278146B4CA73A26E6395124,SHA256=419ED856F251493127022CCF05C9FDF16E0DBFEC53E63AC0830C7642F5BEDA6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1357-62E1-8001-000000007202}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-1357-62E1-8001-000000007202}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.722{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1357-62E1-8001-000000007202}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.723{53069400-1357-62E1-8001-000000007202}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:39.645{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:39.645{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.269{53069400-1357-62E1-7F01-000000007202}39803484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1357-62E1-7F01-000000007202}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B0F-62E1-0500-000000007202}4121044C:\Windows\system32\csrss.exe{53069400-1357-62E1-7F01-000000007202}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.066{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1357-62E1-7F01-000000007202}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:39.067{53069400-1357-62E1-7F01-000000007202}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:40.816{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148F029F11BB147FAE38F7E327408942,SHA256=CDD29660F164478D5B0FABB6797BFEFD9897D7B05CE75FE3055C86E9C7FEAA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:40.801{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8C86022BEFDA40BF5827E90CB29820,SHA256=F62933612DBB136A502B0759B50A4C0291C1BC62EFE3388F5F097A3DA7258CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:37.709{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:40.035{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90195271CA170BB6ED152D35BDDBB38,SHA256=72962D8B7074B49B058811438112215B6B873022B81AE4DCCF053A658356D0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.910{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E32CAAE42184D08B92A071B04E207B7,SHA256=EE1E15EEF875F467577DF962AAD7EDE1D89BE45D1F0B2560D33F9DE9A9B29862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:41.129{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434BBEC70821E79730CC1A7DBC95F3EA,SHA256=28A90846890BDD5F3099934E22952A8C9337E861D019467F15029DEE64A82D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B12-62E1-2E00-000000007202}28602880C:\Windows\system32\conhost.exe{53069400-1359-62E1-8101-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B10-62E1-0C00-000000007202}736904C:\Windows\system32\svchost.exe{53069400-0B11-62E1-1C00-000000007202}1948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B0F-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{53069400-1359-62E1-8101-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.769{53069400-0B11-62E1-2200-000000007202}12723052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-1359-62E1-8101-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:41.770{53069400-1359-62E1-8101-000000007202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-0B0F-62E1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-0B11-62E1-2200-000000007202}1272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:38.463{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50108-false10.0.1.12-8000- 10341000x8000000000000000331700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.270{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.270{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.270{F81F30E6-0B5C-62E1-9000-000000007202}45882448C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.254{F81F30E6-0B5C-62E1-9000-000000007202}45884820C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.254{F81F30E6-0B5C-62E1-9000-000000007202}45884820C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.254{F81F30E6-0B5C-62E1-9000-000000007202}45884820C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.254{F81F30E6-0B5C-62E1-9000-000000007202}45884820C:\Windows\Explorer.EXE{F81F30E6-0FDD-62E1-7105-000000007202}2148C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.223{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD40C6BB49C8C15781737F7BAA1BF5AE,SHA256=162C25BE4AD161B74374C793D091D183BF4F8E2E731408C0F6C0682871BA1F09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:43.551{F81F30E6-0B5B-62E1-8B00-000000007202}42124284C:\Windows\system32\taskhostw.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:43.426{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185AD39D02C927CDB41BEAD74D8A4F01,SHA256=842D3A6089A18D3F32BF0CC041856D0F352E121945C96F7A560C201F8307776F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:43.019{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9601B7212C3593B078ECC24ABE3442,SHA256=642C1F6AC15DDD01A7EEF0585D4D559F21E3416DB27649E708DFCB87C658524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:44.520{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690483796DEB1E1671010734D5FA4A84,SHA256=63BB7E5623E8F9F2914CFF75129C6E70D04369BCA98B1B00478B29ADD56493D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:44.113{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFD120CD71A2026FED4B2A38115D38B,SHA256=493F3EDA23F513E0DA3F65BC2FC9C5EEA978E5E82F4FF10044E9E683AD1D32EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:45.613{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8FAA1A3CD14FEBD57041A06CBE1E8A,SHA256=AE9BCCD3B894CEAB2C9017702CCB888A2AD95DAAAEE7A48A0884D9F1EF703EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:43.509{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50109-false10.0.1.12-8000- 23542300x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:45.207{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3CEF2C7CE1A4ACBE472CFD8AD39483,SHA256=643DA0A7F503096AA5D11E668B8593E2FF3991AD3226260B635F1EF79614DACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:42.740{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:46.832{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF1BCA4BE5C3831AB73B2A00E1BA24C,SHA256=61E145A97555AC438B602DAFC9F0D368C4FC506CB50E268C23427ABF43654A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:46.301{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657B62816095FF54366AACA3A0E30F9,SHA256=6403D1218019D6E89ACBA39983D947847903C516828125AB1DFD4F42D848B664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:46.301{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:47.394{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44AC960E61686A43FB6D95AD8B6B09D,SHA256=F6257E14E53D487DC29061CCBF66177246B1044CE28E8C9CFA58B16F293B2719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-135F-62E1-E405-000000007202}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-135F-62E1-E405-000000007202}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.957{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-135F-62E1-E405-000000007202}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.958{F81F30E6-135F-62E1-E405-000000007202}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-135F-62E1-E305-000000007202}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B0D-62E1-0500-000000007202}412540C:\Windows\system32\csrss.exe{F81F30E6-135F-62E1-E305-000000007202}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.441{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-135F-62E1-E305-000000007202}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.442{F81F30E6-135F-62E1-E305-000000007202}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.301{F81F30E6-0B5B-62E1-8B00-000000007202}42124284C:\Windows\system32\taskhostw.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:48.488{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FAC19C3E85620E6011A45D3A83F437,SHA256=DF25FCEBC16605AC34BB11837949129D5556EA68967B810FCEF6A9B45C9B8C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:48.473{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D09400F0AC92822956287D00E6C91465,SHA256=6751B4F50AD9501CC312585FF8D808D631706DFF51929FE8705FA7C3EE09F9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:48.269{F81F30E6-135F-62E1-E405-000000007202}59606136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:48.035{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E90DC1A9B58AE42B4762F694BC58D6E,SHA256=554D370B421E31CD94BA7ECA1CB3D4309EC76B06D2A2DE83ED7625D29816ED0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:44.834{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:49.582{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038380CECEE5ABA1D768EE755A336C04,SHA256=FA56E108DC83C6C1E349DD9B4EF8ED06C85E23DD48B14509DAF3029902207805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.488{F81F30E6-0B1D-62E1-2D00-000000007202}2632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF86D5D9DADAC43A8B702C0594F2BB1A,SHA256=ADDE337AAC193F2D93AC621447435D106F44C352810BE12A1D6B006762539E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1361-62E1-E505-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1361-62E1-E505-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.269{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1361-62E1-E505-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.270{F81F30E6-1361-62E1-E505-000000007202}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:49.238{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA0444155B3228B8A65B634EDD64AB,SHA256=0E60C08407E3DE29368C49180020C7744863D1C476DF6A991B12DFF5A8B8A19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:50.676{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87E59988F72E6E76B24690A057B31B2,SHA256=DC431706CA807CCB217CE24CCF3B6F5AEF3235188E55E140D5B651AEE3EFF778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:50.332{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09552C6BCB45579B12C7E164FD9CF876,SHA256=B65CEB9A7577CA0245A52221E7887A263BA6CFD9172C285F57636C8B3ED93181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:51.785{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207F4754A3C54CA0BC69389625FA07A6,SHA256=B9A1750C6625D69C50029090D878CEF5B4B149AD588DF848539DBD103AB8328F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.676{F81F30E6-1363-62E1-E605-000000007202}5744220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1363-62E1-E605-000000007202}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1363-62E1-E605-000000007202}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.504{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1363-62E1-E605-000000007202}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.505{F81F30E6-1363-62E1-E605-000000007202}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000331743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:51.426{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532FA8E2233D8F77289D6D250D070A52,SHA256=DD9D70CA2F33AFD513CDE20D2AF0C072C0EBCCCAF5F4CC008B1DF6CC90E774ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:48.100{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50290-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:48.100{F81F30E6-0B1D-62E1-2900-000000007202}2560C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local50290-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:47.802{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:52.879{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F858C5DFDDC00C53F0B4322E5E99E4,SHA256=4B3973C5C884D0C081BF975E23C58F2836752584DE7BB56A941D8B0AF22D421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.519{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05518980559DEB547F4C15AE395050DD,SHA256=5C4F55B1B965EDE7CDF58B086B0914F7AFFDEA348BF58ED59D557516A1ABDB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:49.509{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50110-false10.0.1.12-8000- 10341000x8000000000000000331761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.379{F81F30E6-1364-62E1-E705-000000007202}29004428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1364-62E1-E705-000000007202}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B0D-62E1-0500-000000007202}4122596C:\Windows\system32\csrss.exe{F81F30E6-1364-62E1-E705-000000007202}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1364-62E1-E705-000000007202}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:52.176{F81F30E6-1364-62E1-E705-000000007202}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:53.972{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BD4E75EEFA8D8FB1FF2B061E9C7A7,SHA256=328C5628989A229B201F988F692597B212040169A5FCA3C81D60E78523A38D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:53.613{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB52F07675A97655B25F80167FF69C4,SHA256=EB88D1F1157FE360C10004D6DAB385815B6501E2C087FB068D0DBFA4FD4A0227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:54.707{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9479805E3CC226B6074A45FAFC28C87,SHA256=4CD7652606E8F0F58D658D4F87E947C4872C988FB5E66E3BD40FF2506F25B350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:55.066{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6DA4D79C7BD99ACAEDC3E2ED43914D,SHA256=4A08F378491A4F8F6D9604C9616A735BFCB5E7823C91386AB4A8166DA2A88304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5E-62E1-9200-000000007202}4972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5D-62E1-9100-000000007202}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:55.254{F81F30E6-0B0F-62E1-0D00-000000007202}920940C:\Windows\system32\svchost.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:56.097{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20A1BD23E768E304747EC721ACEA36E,SHA256=66684DABCC416D31F24C1F862736FEE2D553F3CC610D05DBDB64752461B690AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:56.160{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFA702C5CC704FAD35A2649C25A11A0,SHA256=13821189897100A15288C80E60F613020599463F221D0D7FAEF43C49A9828153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:57.254{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE779E8D98CF47BE1276F93380F921C,SHA256=28958ED756870C7B32A7228608DAEF140736E5E68CA42763671F831FE724F067,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000331808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.800{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXEC:\Temp\wpigNgqS7W.bat2022-07-27 10:28:57.800 10341000x8000000000000000331807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.754{F81F30E6-0B5B-62E1-8B00-000000007202}42124284C:\Windows\system32\taskhostw.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.691{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.679{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B5C-62E1-9000-000000007202}4588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.629{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2A00-000000007202}2568C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.629{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2A00-000000007202}2568C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.629{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2A00-000000007202}2568C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.629{F81F30E6-0B0F-62E1-0C00-000000007202}860288C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2A00-000000007202}2568C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:57.238{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABD833ADB62723AEC0A1AFBC78F5269,SHA256=424F35642DAA610A994B58C29A6D7AEF670EBEF852504FB8F79F6F95272128A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:53.725{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:58.347{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B531CBC90B101A197B4363A5F2DDE,SHA256=83B4EC57414E4737AC9F01EC705C1744421105744C18B3F35A0960FCC7398893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:58.332{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDB0108B83411C9AEDFB0FD093A84A9,SHA256=DF2103B5AE60309F2F5D1D9C88A6E8F0B251D093433B10CC6487FDDC40AA0F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:55.462{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50111-false10.0.1.12-8000- 23542300x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:28:59.441{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F46D1E5AF43B8BE77CEDD6524AE1F6E,SHA256=A174407FF727D519C15F554BAC5D85CBDF43D0159DE80204F527DFAB9DF54E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:59.425{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D89764B26ED5FCC78DB53507DE61F2,SHA256=01CAEA56E21FBA58058C1D6B02DF551D5F515E69669C792AA3E894DB92CC58E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:00.535{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C73070DC3522CEA8573D0269AE4579,SHA256=D5075357D71FDE1A670FD5AC2D4B0B21F8772727339DFA5A5B10432AE13E02A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:00.519{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8715095B272F4B0542A37A7BBCF40E,SHA256=AF9285A8E6566DECF27A740FB4630F87A5CE1ADB191E22D713E6D9A7577B6298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:01.629{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4550ED2092AEE4D3454CCC271195010C,SHA256=1C7C24DCD007FDDB1C56B5EBBCD12A9F4145E9E10C425C221FE863860F2C5210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.613{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D25C86D13AFD5118053348286C019B9,SHA256=B5D133BBE022858EAF33B608E4A4B7499C0AC6C547342B8061B18DB7BE63A001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:02.894{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B10-62E1-1500-000000007202}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:02.894{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B10-62E1-1500-000000007202}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000331814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:02.816{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53142B2AFC031BA6754B18D6E38D648C,SHA256=31F0C637A14DDF3646AC2DC27AB2E7E96E70612222F9E9A3C013EB17BF9AE19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:02.723{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CE71B4F535B1DB423DB5E57CF5DFA4,SHA256=98CE65033B1F47B9FBEA4CDA4091E9AED74022BF7FBD12C2E10EBD1A93106234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:28:58.771{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:03.910{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B8FD6608AC23650DB373C249D1F5A,SHA256=13C1B1EB12A668BBE8DE46085B87A69F87E74C1AF459F07C12B33BD13FB72127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:03.816{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57CE40B0781DDC765EBC6F1A95C599F,SHA256=BE887FA4FA495EE9D73849CD5D3BD5BE333493675E4A9DCC669974F7B9902254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:03.003{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B0B-62E1-0100-000000007202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:01.353{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50112-false10.0.1.12-8000- 23542300x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:04.910{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17AD92EAE23FB231AC9A5DFF81D1D7A,SHA256=7772E8CECE91F0B72E52344B4A9AC40A9915BEE246C4C1FDD405FE2CD3814789,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.556{F81F30E6-0B0B-62E1-0100-000000007202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50295-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000331824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.556{F81F30E6-0B0B-62E1-0100-000000007202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50295-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000331823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.455{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50294-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.455{F81F30E6-0B10-62E1-1500-000000007202}1224C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50294-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.447{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50293-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000331820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:01.446{F81F30E6-0B10-62E1-1500-000000007202}1224C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50293-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000331819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:04.003{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4CDBA246927387A4FAB2CC9143252E0,SHA256=5634758D2620954F2EA4C23EF5849DDCAB556335E214233A2AAEF63EC50F2757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:05.019{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC07E3FF77D367C0ED08DD27A13726F,SHA256=B5502FE2F7DB7A6D7A5E094DCE05F52C2A4D9D5AEC9166B88722C164FF0D0D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:06.222{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AA2E9E6E349DF2BBEB7209D5310624,SHA256=3C90F1C6E8A87E2174F29B44473B100C15ADA23C164E9066C81E8A45CAA11318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:06.535{53069400-0B11-62E1-2200-000000007202}1272NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6D36E8A94E86ED6C7F50A3F6A93453BD,SHA256=E8485532C58A942359A12B556BE681BFAD008F67394AFCD46086A593A48DF56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:06.004{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DAEFA2A6F1D1ED1D765DB885980D32,SHA256=5F43175C481A706814C02D11BD40B155CBAAE257CAC2D41C83A30B0EB1015600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:04.662{F81F30E6-0B28-62E1-7000-000000007202}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000331828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:07.316{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A996F6612C998303BD830AF3C28CF0,SHA256=B1BC5C10F973C329A8AD89F026771AB733EE5A5C81E23AF14816CB3A937B6562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:07.097{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133B9FB53D4621EA23A027D21C326A3B,SHA256=BB11E8D9A4E955984B1145EA0EABB68A15EEBC641D5AF4B1D2CD4695AA9ECAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:08.410{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0015E12FE371DB23CECE97B87E05A58,SHA256=6AD4D26230138DA931FAAC4DB0053832953439CD42092F935CD721CE06870DCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:06.384{53069400-0B1C-62E1-6100-000000007202}3108C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50113-false10.0.1.12-8000- 23542300x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:08.191{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA39FC67AB5DC63CA1B36415DDDF779E,SHA256=818B7FF0754EF1A332D63B6617C23AF96193B0185EF38F7DADFC2C81083A4344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:09.503{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CA61DABFE5CDE5DD6857F71D09C058,SHA256=721FE1E4502651C2C2C2ECD9FA64D4A36B48301EF377DABB28B7194476ABCC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:09.285{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F017FA7F154CE6A92FCE32277AFBAA1B,SHA256=71E71DBD34D410F3360E3B350FF5F55750449D1EAC0D5ED45A72FB0F7FC491B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.597{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114350CAEEDE9D56C870366A7334F87E,SHA256=A210B73EBBFF99B63E8ABE513D7A94D3DAFD6429A006A32251D12EF70E9F1D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:10.379{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C1048FBC2ED3CD4B5CF961036E35D8,SHA256=FD68C8FF2721E1C2E09CFB72E92E35E1411AE974BCDE1FFCF352F884CDBAB57D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000331838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:29:11.691{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 23542300x8000000000000000331837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:11.691{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8966FE5B72395E8133D3A591C58EA940,SHA256=F8608CBA56C3A9929C36620112DEF51FC89842FDCF2A5B891AC4D47616294D09,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000331836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:29:11.675{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000331835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-27 10:29:11.675{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000331834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:11.675{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:11.675{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:11.472{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F9BC10380F5A3F35A163AFF19A96E9,SHA256=10D7EED3A316B4B0FD06EC84254405589C5F17796E6F85A170C3F6FBDDFA0546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:12.988{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=884B33F3F1DEBD8EC38201FB9A30052A,SHA256=E548C064F45EC4CA6310F08B27F369CB1EA7F2514EAD56CA486FA135F9FE3DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:12.784{F81F30E6-0B30-62E1-7A00-000000007202}3784NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA880F18896AD084BD722AA475F73E7F,SHA256=9BED3D9F2825514262FCB74FCC160875DA454BD1902A243B569D57B2B7A886EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000331852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.251{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64014- 354300x8000000000000000331851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.251{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56495- 354300x8000000000000000331850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.227{F81F30E6-0B0F-62E1-0D00-000000007202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50298-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000331849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.227{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local50298-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 23542300x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-27 10:29:12.566{53069400-0B24-62E1-7300-000000007202}2576NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810EBA726676FC4F1C588605C04AE1F4,SHA256=CAA9FDC69364ABEF71CEA859AAB65CFA85F91F64FC2DA9088026A2B3C3533720,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000331848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:12.534{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:12.534{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:12.534{F81F30E6-0B0D-62E1-0B00-000000007202}6402424C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:09.616{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57704- 354300x8000000000000000331844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:09.614{F81F30E6-0B0F-62E1-0D00-000000007202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50297-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000331843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:09.614{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50297-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000331842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:08.776{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9890:cd25:8ee1:ffff-59022-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000331841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:08.776{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local59022-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000331840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:08.775{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56481- 354300x8000000000000000331839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:08.774{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54599-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 10341000x8000000000000000331899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B1F-62E1-3400-000000007202}23642520C:\Windows\system32\conhost.exe{F81F30E6-1379-62E1-E805-000000007202}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B0F-62E1-0C00-000000007202}8604084C:\Windows\system32\svchost.exe{F81F30E6-0B1D-62E1-2600-000000007202}2536C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B0D-62E1-0500-000000007202}412428C:\Windows\system32\csrss.exe{F81F30E6-1379-62E1-E805-000000007202}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-0B1D-62E1-2D00-000000007202}26323696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-1379-62E1-E805-000000007202}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000331892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.738{F81F30E6-1379-62E1-E805-000000007202}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-0B0E-62E1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-0B1D-62E1-2D00-000000007202}2632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000331891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.550{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.550{F81F30E6-0B0D-62E1-0B00-000000007202}640828C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.378{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.378{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000331887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:13.378{F81F30E6-0B0D-62E1-0B00-000000007202}640700C:\Windows\system32\lsass.exe{F81F30E6-0B1D-62E1-2B00-000000007202}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000331886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.515{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local55852- 354300x8000000000000000331885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.515{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62686- 354300x8000000000000000331884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.513{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59952- 354300x8000000000000000331883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.508{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local63561- 354300x8000000000000000331882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.507{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62124- 354300x8000000000000000331881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.506{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local58952- 354300x8000000000000000331880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.506{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64104- 354300x8000000000000000331879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.505{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local58473- 354300x8000000000000000331878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.504{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local49230- 354300x8000000000000000331877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.502{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61708- 354300x8000000000000000331876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.495{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local55570- 354300x8000000000000000331875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.492{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62228- 354300x8000000000000000331874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.491{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local49590- 354300x8000000000000000331873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.489{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62614- 354300x8000000000000000331872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.488{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local59426- 354300x8000000000000000331871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.488{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58362- 354300x8000000000000000331870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.487{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local58362- 354300x8000000000000000331869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.485{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65462- 354300x8000000000000000331868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.484{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64627- 354300x8000000000000000331867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.483{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55551- 354300x8000000000000000331866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.479{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58142- 354300x8000000000000000331865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.479{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local49199- 354300x8000000000000000331864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.476{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local55680- 354300x8000000000000000331863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.476{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61179- 354300x8000000000000000331862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.475{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local58683- 354300x8000000000000000331861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.473{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53546- 354300x8000000000000000331860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.472{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55450- 354300x8000000000000000331859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.470{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local56844- 354300x8000000000000000331858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.470{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local56844-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000331857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.469{F81F30E6-0B1D-62E1-2E00-000000007202}2740C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55964- 354300x8000000000000000331856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.463{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50299-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local49666- 354300x8000000000000000331855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-27 10:29:10.463{F81F30E6-0B0D-62E1-0B00-000000007202}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local50299-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local49666-