23542300x800000000000000062446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:29.666{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB62EE98A5E24462DB35EE38AE78DC62,SHA256=1100505DE087A16E1A6CFF91C5427C0D44631265F4CB640F3B657043124FCE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.611{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-126MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.444{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CF63128BDB676E2A63A6687FDDD335,SHA256=309E3CB2E3440C72C3DDCE5F92CAE1A55FD09EEC711559CE1D4B329C2E2BFEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.063{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF2A83EB115118F56A2A620979BEFBAC,SHA256=265A5A184A44166B7B23EC82657B2EC836D5D4D72145B091DC54CF9F994847A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:30.978{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0046F18B78E8CBD9CEB773C882A2337E,SHA256=B8D508BD404E9716350134B00A2AC18F4626E48DE7F1A494FC8A497D0D558864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000123986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.924{99CEBDD5-B8A2-62E7-3405-000000006A02}85566900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.744{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000123979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.741{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.741{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000123977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.624{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-127MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.462{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309F5C1CA5BC39AFBAD8F8C61D7BDED,SHA256=A8AD5285B59E37AF779B505EEB583F31DF43FB3F985B37B7817FA14735F822CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.462{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B2CF50F5C72C214B1AF16588608BB6,SHA256=A11902734409ACEAC7806FA36AD59E0CA5968F6B7D4DC8FBE1FF3368A00E724D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.980{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000123998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.627{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000123997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.627{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 10341000x8000000000000000123996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.578{99CEBDD5-B8A3-62E7-3505-000000006A02}85926848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000123995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.562{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C276A03B61F37783DF2FB8EC4F7C04,SHA256=48A5D500AA8CEC3417F602B30DE9B82E0A0230E14B4A656D43EBD8FB46E1E689,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:29.386{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51231-false10.0.1.12-8000- 10341000x8000000000000000123994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000123988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.410{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.879{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.594{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7F6603CC6B18655BFFBFA7E73386F7,SHA256=D63830F661032FCFE28E6F225140792EC3852A7C18343E57A1869231D733B05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:32.072{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73111E09D9D5F79C6B56625257EE0851,SHA256=3C28A557512623421D5169A3C81EFCDCC63EE57A9D8DFEAD4628B58263FC15C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.425{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112718MD5=E3857BE5211291BCE3E08EDF657A5231,SHA256=B64EE0E83AFD0AF62F3B2EA055B25AB13C6CB01C2CBE103E2CA3F59A31886350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.145{99CEBDD5-B8A3-62E7-3605-000000006A02}27442172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:33.724{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96401DD1294384E37FE98F781D1360A6,SHA256=7F4173B7A5E53F84EEA03957245904AD6C591C337E3E06D2E4E4EDA6652B2EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:33.275{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABEE9C68158815F32E825ABF8C53D21,SHA256=B5F52D589FBBB46449EAD93448402A6F52FA0F363AC194C108A500C21D2748B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:34.861{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FC048B411554091BF751F4BFC5048,SHA256=5BB6750A3142F4608B3B7F23FF9CA0868D401134CF5704865EDE2FBD11250D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:34.588{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80340DD8CECDA2D63A6917FAEC405203,SHA256=748052B2FD5C769E0AD89F0DDD8925F9A76E6CBF55B4491CB37B182B9227D07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.327{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61608-false10.0.1.12-8000- 23542300x8000000000000000124021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:35.907{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCACD87DBB03716B36420E01D28DED8,SHA256=4BDBD56BB2D5EEE3D26EEEE433C73735B5E6F06238EE35B02CF917442BFA9C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:35.900{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2EB1EC5E2EC28A0755CA0E8BE808D2,SHA256=990F035C6D1CD449F4E84AC96AA0945BC11D989B2364004F193C6CFDAF1F6677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:36.994{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38570C86BAA5E10565CC74795A179C98,SHA256=21A312C4DCB504811B992E4E7758858224E6400C9DA3493A1BCA85146EDCCDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.773{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112718MD5=E3857BE5211291BCE3E08EDF657A5231,SHA256=B64EE0E83AFD0AF62F3B2EA055B25AB13C6CB01C2CBE103E2CA3F59A31886350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.757{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=8F09E7672CD428C5743D32E3AF8797F6,SHA256=FED4A36E350E32409A9BFCDBF70E9492811B2F6685DF6BFE555E2015BA9D8B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.058{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6335DC1B389F4B4BD514ADA0E88451,SHA256=518796478E5CDBC84FCC83207678BAF015308653A202252E5A9DC44CF93147A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:38.104{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C70A2C1BDC6BE4C9EFB41073563D9AB,SHA256=26F7A081EBEEF11A38AA227527B892F82E8E55760B55E2967417F8A8080063AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:38.916{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EE8A03892EAE8051233B2AED5EBE73C9,SHA256=D7CC730E8DA8DA1CC8E6632C0EEEB100B3D4CB0D20087B8C81C1CC31C6A06C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:35.230{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51232-false10.0.1.12-8000- 23542300x800000000000000062454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:38.088{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5A701F6A7ED60151872A775147768,SHA256=183F8B389093F59BBB69F82689D6841BEF58139385EA6DB9A153E2C6E6D9DC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:38.122{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61609-false10.0.1.12-8000- 23542300x8000000000000000124026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:39.155{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BB06E01A8D75CA297B6D6217089E0D,SHA256=F11ED3059918EEF53250E3EAC7489877437D4C0FAD2AA0FD26FAB5230A0F13D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:39.182{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A359EEF811B5BE8EB0E7582C1F9475C7,SHA256=3F4260A30DAE8F92788E4ECC0D3A92D6383EF45D5FA41180778CFB0AE6CAF26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:40.201{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C5DE138C99A18E2459CC908A5DD50A,SHA256=2B66DC73BF2EDCB857EED8BFEF643AC2B7A7E659A6D30671619DE6C5155A3692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:40.385{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672FA73D512418B643DBB798C9FC2736,SHA256=AE6524EBA8806876F95816040E8C3C22E87447EB3EC4A333E5549FCDCEDF0C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:41.253{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE6AB9FCE0845E9EB0F8F596CE6A7B4,SHA256=DE83698BFE337EAB6FC54EF340FC93992E0B96160978BD6030C7B36C0D8708C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:41.588{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089B51F646434272417928484EBF1758,SHA256=ECA08EB2BA85AD4644B6905ABA1EA682809F822B93D42985574B77193A751BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:42.681{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C484D34753CA5E4CF7122E6DB87AC13,SHA256=13D5185BD8DA6C9D0871E861CDCF879BCBF3478A11DB2B92FEAB5DC1D3FBB0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:42.285{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00C5B004884D60B54A14DD7CAF20E84,SHA256=ED6E57783B9EF153F595F67D440B4641611B5F7BCC2F693B326C43E35833F9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:42.052{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=72C6E6D9154368FC00445F244C26C5B5,SHA256=A97E6FB2BDDAE8C204F84BEBD42B67381F6453D93A6F3C25BC754C0AB252460A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:43.885{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F2B7A7681CBAFB808B135DE35A7AE2,SHA256=547E2995A05148E7388E42FF575F940C5719BCF68D8B08959EB8E4A5F45B715B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:43.333{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9FB6F91686F2031D8D087A473ED100,SHA256=1ABD5A50A031BEC291B2BD19EA99000A8439DD951A0A2B79DAA5F028F6A2922A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:40.417{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51233-false10.0.1.12-8000- 23542300x800000000000000062463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:44.978{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC33353B9779FBB3AB97A7CAFC9E17,SHA256=58D6640D2E8DDC33AB36B3C3BD75F8D2EE636B6868E694187DC2B3FD9A5D6CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:44.369{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A45FE44520FC668F68F1B4B587F0E75,SHA256=AD8339BBF51322BB0E60DCCCF9D7EB1F76E0F86E6E3C43571394A588F96EA01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:44.097{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61610-false10.0.1.12-8000- 23542300x8000000000000000124034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:45.500{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F01FF6E87B9A40F8FCE7E289EFFB7BD,SHA256=83F75331CC929C55DB350E1E77B746D40C8385D72B303F969F990AAE9D01E2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:46.632{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC116C96D14AEB1D1657E81BBF2431D,SHA256=CD9BA432F3687A8784568E314A8EEA5BC999AE6FBAF4B255A4F80A4C80420EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:46.072{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4D1FFF179C88419E12632F53EBCDF5,SHA256=B0506F72E9CD2C35C141DB1EBB639075CDAB96C65F3568B3CACBA0EFDD0D3325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:47.667{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C9C33E864D4D1CC5B1022E4C262A6E,SHA256=0F52E3FD1D876B971C7EFC614F039350F4D0F561C2A0B97D2DD86EF1F711237F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:47.166{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49191F7A0FF2E7562DBF483978EE4552,SHA256=E1D866371521DF447699BCFF6B7D11B7FC14C2EB7F33DE9E1987C542513EA33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:48.712{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861E6317318D1A0677533E7F13F53B2F,SHA256=970D89BD9371FDC2D2BE3571A37368A37EF4F9FBDCC45D519337312E8DB2F513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:48.260{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33334DCBBDA02ED87682A128FF98788C,SHA256=21DE8AD35C257C4532021D615CC92FDBCF96F1584ACC880FFFB2898BDE6C5C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.928{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.749{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A3360DA949C98836D256BD69D2361,SHA256=98AF6A12CDE3A9EBCE9345FA26548EA5FD672E43FB85E65C995964ECDA8E3CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:49.353{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A55A9F5D5747B04FC7669F66FFF5EC4,SHA256=733893202D3A41DCB0FC306CB62CF7BFB24044EF723CFFE331BC6BB3E7C17859,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:46.276{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51234-false10.0.1.12-8000- 23542300x8000000000000000124041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:50.794{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64DF097AFBDC0789E0A12B965D1C39B,SHA256=EA7036710D50DF86F50F1D1C9612FAD9A7F1D762F31027907007BDD8475BD4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:50.447{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901C2833A07AC99BD691B3E4666E8FB1,SHA256=DDFB70E833FE46688ED908EA63B956D81BCA820CB6F92657BFE2323AF0A5FC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:51.827{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDA420B71DD3AB386BDBFDFCB8D0E29,SHA256=F628622A24A23B73EA99179B4440A6BA0A0AA4C2C4BBA197FCCC24134A42F4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:51.541{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE3CB00AD89B85D09BD5661CBF00D63,SHA256=9EA1D014F5E94D8E97AA17B69D0A43BBD47890BC4EB7864CCE246DE963CF1BEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.292{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61611-false10.0.1.12-8000- 23542300x800000000000000062471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:52.853{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC1F5572C1BDC7EE643A6E91BD141C,SHA256=2503C55D1AA837A667E36318D875366E45AA214EDAB50C983222AADA31066638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.963{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEABA3C2F00A19A45BA6D84F6D53D2D,SHA256=B1FD9CCB17FF187C0B3A6D86F1A541905087E3B84CD791AC34F994AFBC3BBB1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.724{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.277{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-99EE-62E7-0100-000000006A02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000124045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.162{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.162{99CEBDD5-9A0A-62E7-0B00-000000006A02}6327520C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:53.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32898C8C13738DDB8C5055A62DC23D,SHA256=E66809B5EB582A42FB7E6D56F6F2C6A8F5B86F4E61815FC2E30424ADE5AC4763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:53.307{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA6BF37D363E6DD46D8CC7E46D88F737,SHA256=5816D09FC6759F383D547D1AAB182AA9CC11C19CC28D672A44E014ED1F13B014,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:51.339{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51235-false10.0.1.12-8000- 354300x8000000000000000124058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.799{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14malware.com51714-false142.251.32.4ord38s33-in-f4.1e100.net443https 354300x8000000000000000124057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.796{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local51713- 354300x8000000000000000124056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.345{99CEBDD5-99EE-62E7-0100-000000006A02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61614-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local445microsoft-ds 354300x8000000000000000124055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.345{99CEBDD5-99EE-62E7-0100-000000006A02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61614-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local445microsoft-ds 354300x8000000000000000124054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.236{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61613-false10.0.1.14malware.com389ldap 354300x8000000000000000124053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.236{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61613-false10.0.1.14malware.com389ldap 354300x8000000000000000124052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.229{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61612-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.229{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61612-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local389ldap 23542300x8000000000000000124050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:54.006{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A77506EDFD4C4708ED7E18E53298F9,SHA256=7A98F6EE465EE8A9D95AE16DD67033919FD7345E61FBEEFD4DF46AECBA3BE5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.931{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.744{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E58CF5171A0744CEE860C14488499BB,SHA256=C69EEBC60EC324CC1DFE07224DC1DD4B5B736D64391C6EAC753C6FE432B26A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.150{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE584D90C601F0D213917B52BCEEB695,SHA256=8E5D3B033F5F97C5A2A281188E3155487F40A40F0B74639923EC251006B87351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:55.126{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C58469B1B51D8B11996EE7F48B118,SHA256=49FCDF1FEBFA2B8112011848ED360855A2651C726EB9B13768FA3BD4D93885E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:56.353{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DD2ADCB7A03FE52C0C3A2C46C50BA0,SHA256=A1D2E8C68C9798206C2F2C6D9B1A80353D38DA45018FC23BE0B1CD6886CBD5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:56.157{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035116E63AE060CF12298C93C27B0854,SHA256=56F67DFDB67E7D1287FE726C68C101CB74C775FBCC42BB6D9F7CBFD91C983462,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.073{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51236-false10.0.1.12-8089- 23542300x800000000000000062478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:57.447{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40EA08B163BA1C16A86029DBB1090D1,SHA256=E5C206286F285B3419DFD4C2D76AC122A97C45A8623A750E29DC90B412A47701,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078961e) 13241300x8000000000000000124070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x5e3cb64f) 13241300x8000000000000000124069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xc0011e4f) 13241300x8000000000000000124068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x21c5864f) 13241300x8000000000000000124067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078961e) 13241300x8000000000000000124065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x5e3cb64f) 13241300x8000000000000000124064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xc0011e4f) 13241300x8000000000000000124063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x21c5864f) 23542300x8000000000000000124062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:57.319{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08481DE19B31FAD05F531AF63E66BC9D,SHA256=9A0CC04D80DC38C2BFCB3BF37D4F4E7400EF0586E03B39DBDF920B9B35F8E9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:55.110{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61615-false10.0.1.12-8000- 23542300x800000000000000062480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:58.541{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7732B24AF1CF8BFFAC5F2BAAF937E3DD,SHA256=556CF6EA40DB89EE924C9EFC851CDE2816A6F77A3B480DDFFF724990138C08EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:58.486{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95CED48468EE0E51208E63BE65E7A372,SHA256=C52B5C39FED5856F6257EDFF17743FE9F424456AABF1116FC9B9EBC7C7CD61B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:58.355{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3D2D2C84F085E16ACB258BA8FDFDA1,SHA256=6AC2D064F17620FA2064E78C8C5445128C07ADB740A81EF587C91385811456D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:57.370{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51237-false10.0.1.12-8000- 23542300x800000000000000062481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:59.744{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEA29D1DA720B8E18EE711517B0A31E,SHA256=2B46F6E8EF477F8B7B7C29D5F55FC4833490917E0252FE60A8B8DD9237CEBDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:59.486{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FA80979E5FB00469439C501531F728,SHA256=44A522C2BDD76E53CA676107141C40AF3B01D91A1E198C5CA94898F77E8FC1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:00.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B3FA9976A9B974181503445D5FD0EE,SHA256=23F14BCEE69B313267A90427E1CCBE5FC4CABF5DF62067BD76C0B33280E3F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:00.518{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034AF63A85E53C2D9A7FDCB62023E8AE,SHA256=6683E0636F860F74966646A0FB95B50BA5391FFD77323256088ACA986E7E6CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:01.654{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571D154B14FEDE62454CDDE218C149D9,SHA256=AA6BA48277EEE5B7E0F02B3FBFCE72E2F43B481620CB48E3CA6B4669B8FFAF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:01.438{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC4791E2AEA605E336BC9B3D533227F0,SHA256=58F146EAD94E70B9A5D39C25192D1726977F8DD8F4942A0320AB2D1560BF9F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:02.684{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F027E3226B99820436BD1C51DCAAFF6B,SHA256=A2D6DF7837E02019ADC661789B42F81C14E92D1F4D1406B35455FECC71BD00B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:02.041{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD5DDA73399A06C7CE4B08344A3978F,SHA256=FD47F458B4F25995F697EED80F3F7C29294CEE675D3DBFB80F1CD8EC313EB403,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:00.166{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61616-false10.0.1.12-8000- 23542300x8000000000000000124081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:03.737{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AE2CBA8691D6D3246D59DC34E5B95C,SHA256=E7A885B73AFA99AA7A7620B66040583DA8BF6E5E40D6DF8C4B07E8AD9CBEF244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:03.135{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3DA7B2C756360FD818D9078E4881F9,SHA256=9B70DC0406B66EEBFA019DFC0B066006E936F2E0BEBAF4CA00A3C90CBDE5190C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:04.867{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CF83666D92ADEF4B8E7AFED2D3C6EC,SHA256=F928B0A90B11EC8AA19DC81D3602E4265C041405BFFDCA104542BF82D8487417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:04.244{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C17D56A302AECA9C74173082E00DA,SHA256=673D7DE23EFA03BFDF10F0E1FACE671D408F2C80A1B917251583D39565476113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:04.116{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=006340520A1CAA5FD44CC923E9376961,SHA256=D48CC34B20918EA3E9137338F9685C3DD5BCB0DD715A9A7022797B693F0023E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:05.981{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8BA87CD90EA62C00D35F68A6EEC19,SHA256=BCE24BA3C2DF3AF8F9FE17BB9B3A46B33ABB109308016A50A1A526E714784175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:05.556{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C4113189840DAA8D9922864249BAC1,SHA256=884A6F49CA353583AF82E02CAB04A1F0B877DC2D03A77FCA2AD2AEC61DD94930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.963{6DD70E3E-B8C6-62E7-3104-000000006B02}33483192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.714{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.650{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8C53E6493A3BD098AF7F8032B858D8,SHA256=035EE2258B051F230050C2DA7950A7EBD349BAB38E0D7DA5CBE3C341EF38F04F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:03.245{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51238-false10.0.1.12-8000- 10341000x800000000000000062531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.873{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8305C291299EA7371E6EC9491CCFCC6A,SHA256=821CE88CBC4DF0AF4313E1E95D12D37774379DBAD1E7190BFF432CE09EA27546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8155DD4B2DA14A7A4E9E31087F3233,SHA256=5D4D2CFED357FA2FB83E835AEB91360BD2F4BCCDD5626DDD5627B33ADDC594B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:06.199{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61617-false10.0.1.12-8000- 23542300x8000000000000000124085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:07.114{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289370B0DDB4E7EACCDBFF655DFF3E16,SHA256=628F7E7E82711E50E5D261AE3F1CC580C0166A613860EA2A629CA93F14095183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.214{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:08.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE1534448837FB1A006DC6FC5B2A9DF,SHA256=3E44302E469BE52E30519D0F080E60F55574BDFD3B8A3A26595065C8E2C17A7F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.696{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000124091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.680{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6BB3AF8C-7492-43F7-B056-5E9FF3670852\Config SourceDWORD (0x00000001) 13241300x8000000000000000124090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.680{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6BB3AF8C-7492-43F7-B056-5E9FF3670852\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6BB3AF8C-7492-43F7-B056-5E9FF3670852.XML 10341000x8000000000000000124089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.680{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.680{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.149{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE15D026D1F212D747F3A5CF69AD70D,SHA256=C551864196318CBE8F9AFBF41E52DF1BC87F7A13030C53D7F34ACA66DF64B313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:09.197{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8B5EBE9A1ECA3243F5C7CF7B79AECF11,SHA256=E34720F79740CC5AA618125506ADB0B5A748D0010980E33DBE5C07889B272CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.280{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB516A63AA24F0A2C9916B0477D844A4,SHA256=8B353C1A7F0260F94ABC78C3A8A6D37C62544F27E857863D208FCF472AEBA817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.651{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9BA4F7F55FC2608CC0124402647BC82,SHA256=8C6402A9246D907D48B2B060C7FAE6CEC3BE5F3E6FCA56E7B16DFF70E750F052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.549{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.549{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.747{99CEBDD5-9A0C-62E7-0D00-000000006A02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61618-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local135epmap 354300x8000000000000000124104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.747{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61618-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local135epmap 10341000x8000000000000000124103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.315{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677739899D0DD595355B468F426E682C,SHA256=A37CEC3EBE0BF28589373B3D2DBD6D3D19FF546A7AE270FBD43630A23CEF782E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.338{6DD70E3E-B8CA-62E7-3404-000000006B02}3844068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.259{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6925CC0DAC65E166BB7147B856CAE1,SHA256=666032D66E27715F4181118B78DD32C59BD3F5BDF535892C7DB55C8908E80239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.167{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000124098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF78c607.TMPMD5=E28227B6D6E494469AE6EF4D3E29C7E8,SHA256=FFE486831FA5E731F94AEE76A4513D77409B0F6376D19058D532A16B272B6CC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.599{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61619-false10.0.1.14malware.com389ldap 354300x8000000000000000124113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.599{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61619-false10.0.1.14malware.com389ldap 23542300x8000000000000000124112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.448{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2EC49FBFC4CA4A3845E295FE55D8A5,SHA256=E74BF3E7ABB35445234C8C8E51302F8BAB3AC554A2B45EF16670C456BAFA5700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.952{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.592{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-127MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.481{6DD70E3E-B8CB-62E7-3504-000000006B02}37562520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.278{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.246{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF330896760BEAD5A8966A2C033EFEC7,SHA256=DDA84B908CDA49F2EDB7C0AB51C078418C301A1782BA2FF7A780A2418E35AAB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2A00-000000006A02}2644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.594{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72C484518152942DE783910EEDD4A82,SHA256=AF24672F43710C246D235562A30CD30AB278F520C86550101CAB4421F91C2075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.429{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61620-false10.0.1.14malware.com389ldap 354300x8000000000000000124117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.429{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61620-false10.0.1.14malware.com389ldap 23542300x800000000000000062581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.593{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.451{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F377D8F7722DEB06A3BB81C197CE2BD,SHA256=718263311F9572F109B6C985ED79ED0A0AAB63690882740B83CF0CAC31194213,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:09.261{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51239-false10.0.1.12-8000- 10341000x8000000000000000124116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.147{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.147{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.139{6DD70E3E-B8CB-62E7-3604-000000006B02}33682544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:13.630{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02508C27613E08D7E606922779B03F2,SHA256=C50A7E20DB46BDAD4C95FE7AB2E08E6327E45E29E19AE78ECC1D904FC7410DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.127{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61621-false10.0.1.12-8000- 10341000x800000000000000062595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.326{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65A2E7EB136863F23B80DE8B47427AD,SHA256=4438509ED9AAB5A9FC6FCEA8D35101347095680ADBA351E89229A9BAB39644DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:14.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413246371E2493A49390B2E61C46893D,SHA256=28D9AC0B7EE3B6FD7411826BB6C76CB4523B302CEECD705BE1D5CC8335D032E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB025D26B96111462B2907A6E921773,SHA256=C396E12559C11D28B63D681E6A94B270FB83AD41829922B0B94CD15F48137730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.630{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A3F-62E7-7D00-000000006A02}3228884C:\Windows\system32\csrss.exe{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A41-62E7-8C00-000000006A02}49409452C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+20f438|C:\Windows\System32\windows.storage.dll+1665aa|C:\Windows\System32\windows.storage.dll+166302|C:\Windows\System32\SHELL32.dll+4c89d|C:\Windows\System32\SHELL32.dll+4b436|C:\Windows\System32\SHELL32.dll+6cf99|C:\Windows\System32\SHELL32.dll+e085e|C:\Windows\System32\SHELL32.dll+154f20|C:\Windows\System32\SHELL32.dll+17acfc|C:\Windows\System32\SHELL32.dll+198148|C:\Windows\System32\SHELL32.dll+17ae96|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000124122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.619{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"C:\Windows\system32\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000062598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:15.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC2AD870F5A6AC97F5692CF7663A9B0,SHA256=B2CC62F5639BA1F1360F74016C1BAE511BCF5A4C4608EF3306E5884866B01710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:15.692{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BC4C566F6CD8DDEA9C77C78CE6930E,SHA256=528A14C0CB76CB692D18810C7FFE6C46659351B9979427DC45B5A646F5FF84D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:15.661{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0418540AD46DABF1A0AA3419CD5D1A,SHA256=606B1F287348C192A0E4F678D31EB9C10FAB43BCE6E8086286BCBE16AB600230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:14.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1FF96A0E36F214F0F4F9A1A6971E1EC,SHA256=8FA97D3693E12DD46D74725CB8E053D1E93B7E16B80CE565D3CF30DEE478DE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:16.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB316BF6B09A6BC3530A1CCFFDCDFDF,SHA256=7313673720017647530EBE98E0417FB55ED2044AAB69781DC8B5D9EE35DEE0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.728{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1886BB28C099D948846E7A8A3973A5,SHA256=A428A138DD661BF86C8CBCCF9B664ACF0EB244EF8BB9E6DB2C58EDCA9870958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.211{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:17.874{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7C7376AEB3BEDE62A251F92A9299F8,SHA256=C95232505F248300A4C4D8A8178A40C37A3A158EF3B9F9CE783A71F0848CD630,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:15.218{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51240-false10.0.1.12-8000- 354300x8000000000000000124151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.256{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61622-false10.0.1.12-8089- 23542300x8000000000000000124153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:18.906{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90FCFCA77C431105F191EF6DB203F62,SHA256=2263D11950BDA045D6DB82FC9A83BA0EA8F752230D22A42DC6022B5F442C786B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:18.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5116CB127C7B5E77BC595B7A8D4D5219,SHA256=120AEAD56B5547F2147A6AE8F38314E99CD1EEC09F4C1460E81D72EFFD87140E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:19.909{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5249E2361AF20774928953522AD708C2,SHA256=0465CD1E48C76440BE7123018B75931BD6B3A2F4E394AA9460100C4F07E47E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:19.342{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5866BEAFEF6104664405C3B5266818,SHA256=991D007D07CF64C442EC479B1C1C9BCA31773D148A28B4C05507138BD39863A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:18.107{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61623-false10.0.1.12-8000- 23542300x8000000000000000124157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:20.943{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0424C8FD88CA3D05FD9499C5C7F3541,SHA256=3759D26154264B210BAB9F8756F6421DA31CD6AE30C4317AF02D6073467738CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:20.545{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247524F4384806764788CD903F9F35D,SHA256=20B32FE84560F21F661D466E3DDCEF78BFA7D9A0B886E91CE1574370E45775E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:20.828{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:21.989{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0149035A2880D269053F6A83F41B7,SHA256=1C10A2BD62310C29C5AF6B79912733DC0C3BD230253B09E87B30192895040FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:21.748{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F36C47032BD11D7A8E10666CEC6EACE,SHA256=423CC28F034796E835BAA6E702987851C3FAF81AF7A13EE66F3AB41B5678BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:21.406{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:22.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7C261D7926D4E08B535821DACB7975,SHA256=D0C43712ACDA161D0147ECA78A41EF3DBCF0C37BA255DD755F4693127C59054A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:23.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D71BED28A2280FEF1B814A5B207AC60,SHA256=20899D9A1D64F02D8F968B43B8DAEE3AB9557208037A0561828E8B637A322DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:23.026{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C559990F0FA87C86C0B89DB292DF49,SHA256=3B5C6271A8EDB9C19DB43128194F758D456B8D5BB89BB7BE8586EF5C69F05B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:21.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51241-false10.0.1.12-8000- 354300x8000000000000000124162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:23.190{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61624-false10.0.1.12-8000- 23542300x8000000000000000124161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:24.071{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043AD401A8333EBD2F7563DF5D4A5010,SHA256=AAA2A2B971F4303294A7623C4969881EB9E1C178477DEB0D8CB662859DF64311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:25.103{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECD3C3F0CDD9AC2EA723AE9DD814A7D,SHA256=A58E205AB9AF014464375177F489EB85D0BC0A9114B1CF19FDBD38651F107477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:25.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FF2D092EFB2841FDA1F8694D75A241,SHA256=B21F5538B4823927F4FAC6B98A20C75B23441391F4C8391F7FF3322C9B54B81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:26.202{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBBE4016785496EF9B352EEEF69B9D0,SHA256=08239801AA74CBDC917D8A15203E05C9E225A3B73423988AE609695F629AA152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:26.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DEEFC421EDAA113A52792DC3A171ED,SHA256=3A14133726199704956235F908DDC215F7092710B391F98E67F8B0D09A4AC096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.521{99CEBDD5-B8DB-62E7-3A05-000000006A02}74328788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.236{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5210A51B230CFF2ACB61111738D61759,SHA256=895D57084F245D2900113B0EAFFA2B404C0898FC794344704ADF3D663545850E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:27.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28683952A67EAF4AF3FD0D18F8723B1A,SHA256=F780C05E18BE45DBFDE8CD8A28A332398034500637DB04175E17957EB1DAEDD7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000062619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000062618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00790c19) 13241300x800000000000000062617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x6f550b51) 13241300x800000000000000062616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xd1197351) 13241300x800000000000000062615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x32dddb51) 13241300x800000000000000062614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000062613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00790c19) 13241300x800000000000000062612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x6f550b51) 13241300x800000000000000062611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xd1197351) 13241300x800000000000000062610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x32dddb51) 23542300x800000000000000062621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:28.638{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997C60001E6D2E2E89C0EB919ED0A770,SHA256=573507F14C2EA88E541B7B6FFBC0330A15168A1B552625A05D81641AAD87B5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.851{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=52F7F5DD364B8D7537127AA3EF4EBD59,SHA256=49F2C4C52E222FACD5DE2D878A9F8C6E692A514F1874B2A36DF18AA86693C197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.652{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.436{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B72655138E022EB3C82E6E730A81432A,SHA256=B12E14F11D6AF66212054479BE021691EB0299A8BAA6A238AA83420152CB0296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.351{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B04337C2EDE1BE1386C68FE53BF6A6,SHA256=916072B9DFD67DE9BE160F1A8AC4605F29DC802710CF25680A8BC72B6DB3B130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.002{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.999{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.999{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:29.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D2D39242ED9FD8E29001EFBA157959,SHA256=F6AE6777CB09B2B2EC5A29F97487B87ED7EE216B7DE019CC2EA5D90677E4FE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.381{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BB098562CDF1522474F602AB3BE81,SHA256=CD0AEFFDB53548D0F9EF9E220701D90BD928DC3AEC8132296E6A612141992B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:30.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3F478298185ECEE0B6852334984DCE,SHA256=46ACC78F8CE0342A43A1A23FC7C489EADAD49EDB976BDE661AB73A088AD58C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.935{99CEBDD5-B8DE-62E7-3D05-000000006A02}92369536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.630{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61626-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.630{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61626-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.162{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61625-false10.0.1.12-8000- 10341000x8000000000000000124203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.766{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.434{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D1A808AC6FBEB65CF7C22943B94377,SHA256=F02F24A28387A76302B34573B3CFA80C2A3136B0AEFE57424D6394047BD9FACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:27.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51242-false10.0.1.12-8000- 23542300x800000000000000062625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:31.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD2EE3A3CABDAB27DF3010626ED3F5D,SHA256=4E6FC0380B3442B987F7AA8D9E10159048CFFA2E9982D656C66CC0D986FDCA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.603{99CEBDD5-B8DF-62E7-3E05-000000006A02}86888608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.534{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2D4FEA8ED62299481D161648AD295B,SHA256=CA5F21671A4BE0B9FA3C107674E219A2572B169BDD672CD5A1B853AB6A052D8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.435{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.152{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-127MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.901{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.897{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.534{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96AE53F35378E0B57877542FC93773,SHA256=18F44ACB2A32B03D2B98FB7E4F5FDD4DF3D40257EC8F3B6496FF3B3D2C681A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.203{99CEBDD5-B8E0-62E7-3F05-000000006A02}89926836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.150{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.036{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:33.580{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AF88079308702ED1225D741B8B0B1D,SHA256=F5E2FD3F1D8D108F6DEB343A4F0CF4CDF57CB8963E2A4F056274BDB913475608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:33.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6791ECBC08E1FC318A5D95523F32E0FE,SHA256=831F895E1EFF755518DF50FEE095CBF1EB439DB13C2571CBC4F47FD31749FB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:34.632{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:34.616{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D23E7451D780B861B86E734E2BD43E,SHA256=ACBACA01C80FCDF42C1E126053B41D0562F9694D4C5579238BD1BC09BA1E8373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:34.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBD1382CCFCB918191D79A738EFCCBB,SHA256=7744B39832DBE03DE4398575127CF69211A4EC056C49BE3B314EA6495C6C4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA7EED76667AF2440C144538082E3D0,SHA256=1371F922244AE85FB8BA9BFA4688220C2AFA1E37215A67759F03289E2C5A9199,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.731{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000062629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:33.280{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51243-false10.0.1.12-8000- 23542300x800000000000000062628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:35.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F85BEF9B019165FA6984ED60B0F6924,SHA256=D6EE70220073E1FA1315D7E30683F109450BEDE72D3742DC6E5E7D37625D6BB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.158{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61627-false10.0.1.12-8000- 23542300x8000000000000000124243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:36.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9428608C28123887DF4618CB9E3E9A,SHA256=661685DAEFF79682B747AF94627CA9CDDD85CB781A39828E3941602006038B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:36.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067A8164F6F4A9D1C8B4761723BC0470,SHA256=2D2B877738CA3B7AE750FDD96585B8AE2627B5CBBCFDFD0C91370DEDE832E1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:37.915{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869F40CCAABCDE8AA4781D9218F085AF,SHA256=A1E2778D6B3A348E0E1BF4668258BCBEC759EFA1E954B2D4D124D7417D7FA94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:37.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E78EEAE1928F0D0B7AF44DEB1B82FB0,SHA256=2431256D6AD7381EB2A72ED37CC49CC50C3BCCCCD3425EEE21E197F86ED346D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:38.961{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B3F45EFEAEE5E240597B1E1B637E4B,SHA256=66274E4FA1EDD9FA8D73E137665F2E2917721010E21F6F58664A7D7AE51D964E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:38.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EC149C495A8F13DD8186AC7B670F10,SHA256=E7B3A32796B54FDF7E6E3B87CCC66C703B0C504F4B9D782FC41068339A2778FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:38.529{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7A14A437D859781E1F49340562031D4,SHA256=8F9BEFA3ED072AC334736C8A6A50EDEA8B49894DC9AA17C57E58661D3A91757B,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000124247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-CreatePipe2022-08-01 11:28:39.860{99CEBDD5-9A41-62E7-8C00-000000006A02}4940\UIA_PIPE_4940_00005f20C:\Windows\Explorer.EXE 23542300x800000000000000062634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:40.013{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A053402E63B13DA3E8D235EE8DD6A2D1,SHA256=FFCC52635F235248A339D5A21963F1508B29BFB2D25E37EB07FAA917C51E3BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:40.093{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC22142F19C3F4B8B8C4A2FB118AD812,SHA256=756669F69AAE76021C20D2815C86206D419B965D8B7F2F0400F4E5EAD99245F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:39.311{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51244-false10.0.1.12-8000- 23542300x800000000000000062635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:41.217{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB200D56B14860E7C4751BB99F24B3,SHA256=FF22E4D602250EB4B36FC1DCE0A9F23D9E8F193E891BAFDB15B9BF9C5A473F55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.473{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000124256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.473{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000124255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.373{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.373{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.142{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E3CEA8615D2BD590E31B131ED4407C,SHA256=D1650CD0A6D53323CE005E6A471E23402E91BF2E15E191B59081C84D46004AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.441{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F212703105FDBB81AADFCD963F8B6C,SHA256=E81F0A6407996E7A0866C9279FD316DFD353EE80D32D3A01EBC7E3E4CF3FBE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.192{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEC547B43212204F4BEFF26B3B2B2E4,SHA256=C58613FE82DD0049CD233B7FDF03971E40FD4FAF57A7D35E139C6F81F9D942DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:42.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7D558589822B31D4B09CC8947B368D,SHA256=23748AEFB69041C99E0FFBCE38D1CC3648BFE93406DD7080C143919668A721B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.010{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.010{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000062638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:43.513{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA49454AC29140E0B1847FE1E0D885,SHA256=9B35403FF7019A58A58F5D37AEC96F010174F3EA5458562271895E51D93C078C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:43.355{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8CE6F9C6D290E45D49C6D719BA31FE,SHA256=506820EE05BB4012C22A3EF00B941A7DB6742A255F5883AF62B2E3DE801F0DBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.106{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61628-false10.0.1.12-8000- 23542300x800000000000000062639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:44.716{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65ED20E13B9473D2850C5F20007EC518,SHA256=A72FFA2152BAF1BF630AE49B40805EE4DCBE0C9781F95E195C986287B3407392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.470{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3D5AD361DC7B0D73CBC21CF567CFAE,SHA256=B630AFEDA488733599BF482882272D44B4505ED2272B3B5E7AFF8EC7634FAA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A3F-62E7-7D00-000000006A02}32289904C:\Windows\system32\csrss.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.417{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 23542300x800000000000000062640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:45.810{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF798E603EF60122F929FC1633FC1DF,SHA256=58FAE48CEE37849652CE58DCEC0A9CAA665E607FFA6E4971E67A8280190E1D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:45.492{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBAFD968FEC651EA28E6FB81CB2A852,SHA256=357125E4AF0963886A9B68E44E6F901BAE968B5A5ECCF9E8F3308E2BB6505028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:46.904{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4003BD2DE42F362EC257F36809A64796,SHA256=B57C2250A8F0B82AA4CD77FED5E54348B3B2BE462913B2A65A36AA3869619BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:46.640{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34599E052E5849E90DAEEDF4F8977C43,SHA256=FE89244287688AD462DA20EB95E28DEBA32756DFB89B808ABFA88CD9CB020272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:47.686{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6468968BE13E42CF9CD64E302652FD6D,SHA256=CC809132B1F04108C14ADD67F04209D44DE2666D7EE62712634C11C4CBA2751C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:44.327{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51245-false10.0.1.12-8000- 23542300x8000000000000000124283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:48.771{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795B8423145F591B9782B570BB34FA7F,SHA256=52837C7C4866877AD463E8AF0BDC0DE255D82A942547023F4212D48CDC0E4CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:48.107{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4150B81EC1EC6FDD72CA2CC6C1CD463A,SHA256=E1F6C3B692998D19D5243FA1C18B289921F730CC7180FFB0DB77B2E6F532793F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:49.858{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C035B0DA044A923BDFDCC9BD730D009A,SHA256=3E95D647DA8A2488054265D4CEB47D712506DB72B8942640054EFE01FF3BC171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:49.201{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D6AA05A5F12D039029E09817565DE5,SHA256=A0F806F8D273FEBA72F08AC525EE36992A6E2AC5F4829C455B85E9E2B13A2274,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:47.103{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61629-false10.0.1.12-8000- 23542300x800000000000000062645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:50.404{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6B14AB590189F63BAF6D08D822E230,SHA256=C4F2EE540FB94860654C32CA1CF4AA17AC4BEF62CB9CB5E83DE3279589F330DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:50.889{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91F186B7667F54CF1C53610A97B281,SHA256=3C5196F06A7988741E2FD1547B72F047C2057C3A22FE405406A315877B450BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:51.607{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4761E238804CFE01EB8364979DECF9,SHA256=CF12E43ADC9B9581C3D5FF918AF792606A4A466EDF2B76FB87D5196B5862B363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:52.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D373F509497A9C86C08E47C6010970,SHA256=A849CB2EE26AC162C59030EE1B71F2D75107DF9807F84604689378AB4DEE8B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:52.010{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C109F015A7AA1D9E8756DB219B32FB52,SHA256=B85B57C6E9707AE437C09F4CAC8FAE135C3E005FCCEA677CCF768132E158E91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:50.217{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51246-false10.0.1.12-8000- 10341000x8000000000000000124303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.157{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.026{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B830848AF0310E834A2711BEC1AAEBB,SHA256=C7316955FABC6B6FDC58FE705AE22666D96C496AA0CF7D1EB53A871FAA14E1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:54.123{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FE3D1BC4B89944BFA20E5E3EFC1050,SHA256=7B84B53CA3990CB55FE8C250D26754BC2597E2914E009908AE3F24847983DAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:54.072{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4B0F91B0B96CC826E69233DFDE4973,SHA256=764054712D55BC9DF1B6C7F6A5F059FBAB0CAE12655C44BFDADA159C613E3F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.951{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.748{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7906E9B605A8A12CDA312335F33A47ED,SHA256=22D8DCB9DF27F8331B4A561DBD88CAEC4B208B5A41419A41AF12A7DB78D907DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.216{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E57A6112227679C5799B242AEA465A1,SHA256=C917EE9C3CDB61235598D6A49E1CD8684660E4B92CB731B82DBC044A6C41B258,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:52.190{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61630-false10.0.1.12-8000- 23542300x8000000000000000124305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:55.123{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18505431CDBC34C72540529120FCD28,SHA256=2C25572786C26B5FFA6949B337B0E4A3EE66AAF8FFD6D1DB99E321620DB6DB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:56.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2E7484CCD6E69156FA5EC36D5DE087,SHA256=DB126AC525994FF483D3E871455338F9A82186978B0C54D0E750850F279B399B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:56.269{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BC3058BB01B204B3E8B2B6F33032C9,SHA256=D1B1CB1749D9E0D555D17FA27C3F07EC2691CCFFF6B55B31DD03B03E2663ECAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:57.623{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3030B44E70D1822FBE28F768B571177,SHA256=7F32CDECA1239B8990661512D9E3FD0BDD81728B7FDB55EF2C280A7535067EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:57.305{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E82178697CC470DA19C40CAE1DC24,SHA256=90849D3A6EECD5AA0E674B1672DF767A51A59C0E54DEF8EBAF4D7AACD21A3396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7C6F780BD35057ADBEC32C5B20F394,SHA256=ED9E0485F02C2314302D530C0BAD3F21C820C435D66FD22A7FC11553614E25C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:58.420{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F1ED108D367367AB4FC2F5985C04F,SHA256=B5568FD84257918F4DE4B6DEC0406038A943D58E24017E603DAD37666C91C384,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.327{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51248-false10.0.1.12-8000- 354300x800000000000000062658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.092{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51247-false10.0.1.12-8089- 10341000x800000000000000062657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:59.450{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0602A3EA13B300A2804CA02166FB1B29,SHA256=4FCAF73D7D4B8C2694150A4ED08A7FC159971F330E2F86CBA4D5489873F76D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:57.316{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61631-false10.0.1.12-8000- 23542300x8000000000000000124310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:59.134{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=35F2103DA698B023B6CC7E9C8D5AB3A8,SHA256=1E88DCE9DDBE076548B4D0C6B5B8A6A2C1D0DDA788D95176EF684A0B47935687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:00.138{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C945085076769756C397C8B542EF9D6,SHA256=505B023BE27F6B27E27404A7689BD8D1636048DDA7B095A71BDF21F20C92C90C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:29:00.702{99CEBDD5-9A0C-62E7-1200-000000006A02}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a599-0xe589e725) 23542300x8000000000000000124313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:00.465{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D789EA90ED29CC98173AF92A16ED846,SHA256=93834D6CEDE47C8BFE068083509A99E1CE38ADC5C79FBA05D20863D8BF95832A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:01.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BBDF5AB0CED3711D81F2599658E441,SHA256=FF080092CB50A5AD90E0F6FC310F8789968DD1D7B737D9BF5B9B3163EB682DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:01.582{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1D197ED9936125E5888A1DDFA3836F,SHA256=73A5B2055732F78DF18ABE0912DCBAEE41DF2F1BCAF04C9A9F989E5C15A2961B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:01.448{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0B0D4126C3E472498FDBA5CE66910747,SHA256=CE92F2B313719455C172116C389CEC61B76308BF045E14F262701781FF7C6452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:02.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C875F3128D146C2B1D4BFD3638F42361,SHA256=6B50F4CC555C88298C674C3347C4F2742C34BC19ECE8E282C116ECFC1810778D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.717{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964164CE9F7EDF0246B8E7AC637DE33,SHA256=992A44F7A09DBD0940589C730D71861DD10072496747126C54F892E766A758B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:03.654{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F54EDBA735DA1440DD9E12243EB2F7B,SHA256=4E4D105FE79F65C8EFDE40549CD8CDC80738D38484927F6BAD32E84DBCB78364,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:01.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51249-false10.0.1.12-8000- 23542300x8000000000000000124326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C1019D85113EF67FE01A53228DE7A0,SHA256=8129E4238F3EABC67999EB571074F355AD6A8695366CE4B839427B820CC5B574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.562{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=37925BAD6EC8890F44324857FF02C84C,SHA256=8B4BA21BA3A12E58838C040AA69E22D4DA63430E5EA45B33D5D7625FD8DEE835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:04.857{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88068260E1B552842255653C154BBBDD,SHA256=D251BE5EDD6E0AA0C540D236F93C2265D4A053876E2DF324475088D1A2C96CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:04.814{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8256AC0D094A8E6902BE1E7FEC734AD,SHA256=92E34009F7516639BC45E15D02F6C7AD9C4FF2DB137FE89AD912928CD25FA0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.211{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61632-false10.0.1.12-8000- 23542300x800000000000000062667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:05.951{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8822540851BA72DDD7A9CE56FB6CBBD,SHA256=C504BF72D44DB2DB49B04BE62102EF1EBF3298E86028346F7F9FD750768A0D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:05.859{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA46135D762D6D2C5950AE05F5EFE52E,SHA256=9BDF21BA81F44FB4CE634BC25C27A854B74A9096EDD70F110AB949DCCE8915E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:06.895{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3587D0D799C14781EB7626874551B1,SHA256=586517C37AF69A6996DBFC647E2906CC420FCCECB82ECE3796A77F973CF1072A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:07.941{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F0D0BA925720EAEF12EC1250FB376,SHA256=F4CC2D4AC4C6F39F2DC9D07C75B8C16202FBC794D5BCFE8B41053CBFF5597C27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.889{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.841{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EE927881381BBEFC79498893D452AA,SHA256=7ECA67845F6125B326459C8228DEDF44674F409921FF9445DEBC738FC7630E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.233{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.045{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756C7E4593E99EC26709949F74E60893,SHA256=0A02DDE625BEE699E7C9DFB3D0EA0C2515C014C089FE48E7482DBBA10AF2195F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.974{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A75542E492666A99CF562D688A2A0E9,SHA256=7AFB7A6143184543359352D39C2CF1D18DBEFFC8482EF9181BC3C7BA3A5879C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.763{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E16C06A74E6A7D717E11E3C321CC9E8A,SHA256=6657F8DF1DB96CCFD6F0587FEEE028E134AC8107ACB6C7DCFF403B69C9E65033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.248{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F1378DF676E7621CD82D2A5DB01D4D,SHA256=F848439F4CEC543C1FBCFC749E2F6BD75FF06DCC9515A7522FC277BC4853E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.824{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112903MD5=EA416AF7B82503492E5F053A5BA6AEC2,SHA256=6BF5118FC2261DF1FFC184DC4036F8B57800BC8FC4557CDBCE21BB45AF4EC5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.824{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=EA20B9D4680A2804F8C11BE54F4A11F2,SHA256=4CA57EE73EFD72EBF6CAD7C767616E52EB5C11FFEE89E395C7AFDCAA81F5B623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.060{6DD70E3E-B903-62E7-3A04-000000006B02}39681672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000062713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.248{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51250-false10.0.1.12-8000- 23542300x800000000000000062712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:09.357{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA9F188293E4C203B0C034E3922DCD4,SHA256=B205572ACDE6DB62F2265854484A9FE8B0EC70CB5EAA23128429D043A66AF299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.451{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE4A5B1CC385E02327FC2365646FAAE,SHA256=6CC89F2E0784250265E90543554B1CB7CD8266AB7817FAD82B4F81A78BB1051D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:09.119{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61633-false10.0.1.12-8000- 10341000x8000000000000000124336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:10.725{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:10.010{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90912DF386C477D6AF836DEE0D4868C4,SHA256=B30EDB222E6201A69868B739A7DE574CAF84A8D6BB4AA42EB1B7BA34BACA3F99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.373{6DD70E3E-B906-62E7-3B04-000000006B02}35563056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.170{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000062756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.967{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.544{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A87C34E47FB21913B9C1242AB098983,SHA256=7521466EB18A35C2FFA62F8C2DA50914412800C6549C20E9A27855E6B3428846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:11.145{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDD61D9DC4B6D672D40299E53E4F3B6,SHA256=51910D00EE78B0198DE10989C9862A69DDFEAEFF57B1277289C7B12FA496A57A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.451{6DD70E3E-B907-62E7-3C04-000000006B02}3603064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B907-62E7-3C04-000000006B02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B907-62E7-3C04-000000006B02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.294{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B907-62E7-3C04-000000006B02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.295{6DD70E3E-B907-62E7-3C04-000000006B02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:12.874{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83511424B7CD8701B1305975C5EC8B07,SHA256=1897565BDC1D452B751559F69A6314F0468622D2343FCD75FE95561C2464236B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:12.174{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EEA07AE6E67EBD320689772E8A5EA5,SHA256=39BD67B8E2228F9B3F4A2F2534C0189DC243258CB59C6B1952E23A218A3646FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:12.123{6DD70E3E-B907-62E7-3D04-000000006B02}34323496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.969{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5BB1C0DC619067AE1697F192A42B05,SHA256=C62D972D2B9063747E13101C30E0AA5DC3043AB86D428A594400B299E9EE91F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B909-62E7-3E04-000000006B02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B909-62E7-3E04-000000006B02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.922{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B909-62E7-3E04-000000006B02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.923{6DD70E3E-B909-62E7-3E04-000000006B02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.340{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.324{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.324{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.324{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.308{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.308{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.308{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.308{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.224{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397BA9E833FF84777DD6E8774CC20A92,SHA256=FBBF1834F9E2CDD33E02488B46148350846F9F1EFB7BFCBAEC2156FAFD363517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.110{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-128MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:14.976{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C1271DE0D3D3F0CD1576FC5453ABE1A,SHA256=0EA026DD7F1144E7A4B387177DCB6CFCA71A592F0D5C20EF0E68BCB69FEE4501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.412{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14malware.com64927-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000124351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.412{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local56961- 354300x8000000000000000124350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:13.412{99CEBDD5-9A0C-62E7-1500-000000006A02}1136C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local56961-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domain 23542300x8000000000000000124349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:14.273{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84953EC2645029FDB1B5CC5A9A4A5031,SHA256=2B73815C506C724E90BBEBBA276883B94D48D22E5BB9169CA8B3F674F4207B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:14.114{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-129MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.306{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7121D124F9136F2D1E1602A00B05F5FE,SHA256=5EE3FCA003B595393F12B1CE2612C77264A1086A0AFE1781C96378FE45173CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:15.070{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA56E9BAAEF88AF786A7A9B6318F9DD8,SHA256=7E99DBA133D26B73AB61E00C177DC055DCF47AB24741DEA91126EBEBD37EAAD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B90B-62E7-4305-000000006A02}9232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B90B-62E7-4305-000000006A02}9232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.122{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B90B-62E7-4305-000000006A02}9232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.130{99CEBDD5-B90B-62E7-4305-000000006A02}9232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 10341000x8000000000000000124368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.890{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-1600-000000006A02}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.890{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-1600-000000006A02}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.890{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-1600-000000006A02}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:15.133{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61634-false10.0.1.12-8000- 23542300x8000000000000000124364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.322{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ECE87D39546FA06DB2821451D4DF45,SHA256=833F62FAFED432CB234347AED42498ADD9E70B56560891A1FB6D083F6DAAAF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:16.054{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2844606EB60762588A8BAA444B02FC7C,SHA256=C8BD17643F5EA05FCCD876F884EB0C29B07CE30D5CC4A7204BD9361E376B1404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.238{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.171{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C944795AC5C1299ADAD9D200D18647CD,SHA256=266EA63A09875EFD4D9CF07E45BDF9EE03C7DC701C7FB423AC0E97A98206A2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:16.286{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61635-false10.0.1.12-8089- 23542300x8000000000000000124369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:17.452{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2080B580695E2AD278C190BAD19BAB,SHA256=E11217C45F307F559FBF979D7ABC4829FF7495D59CB697B753BBB8ECF6669DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:17.148{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A705E7FA587FCFBBB484BED33F1123C7,SHA256=6FF32F79EC38B4A41DEB49E414A79ABAAB52BB6C8A2490879D0E8B26263D7DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:13.251{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51251-false10.0.1.12-8000- 23542300x8000000000000000124371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:18.490{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855890E0D0941E315A83F8C9FC6D500,SHA256=35B364A3529B5AF5006977E415471042D131E2E2FDBC2E4ED11A0B5B645F7105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:18.132{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE4EE8F026D6D62FEB006CE11E46CFC,SHA256=C4541B2277C9D8CD5BE64EB7ACED865ECA0966EC9B53C5F9F51724C7EE3D10CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:19.620{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084341116A111F7A0F832813BBF9073,SHA256=CA422660ADA80D7BBC1218AC065CA9A3EF58FD6C42A65B228FF3F748F82F7265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:19.226{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9554E06177B467DDD1AEDB60DF40BAB2,SHA256=24D8DFA75BD3654DE539471524F61358395CDCD9D475A9B18392E4814AE1F618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:20.667{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5EF6424E3B94B35055AE9CFAF19E41,SHA256=405C6ED48920EB9BDB3B7BDB832C0454FB27B6A0EC37B8F8E820D29C2C92060A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:20.320{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D9DBA862938F484BB07D3004B7892B,SHA256=E7F7B9BACF6922A78CCC186EE31173DC911C819F92F025BA448379740D14E8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:21.718{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475A6AF9C404CB7DC07CDF7DAC0066E4,SHA256=3E0C07D5FB8B22B111BF7FBD9F6AD9B2F2AF05AADB94DFBCE268EC063BA8C603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:21.414{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F257043DB53E6B28E66FA9DB6CAEBCB,SHA256=7E90CBA3CF2AA04583397FB819F6AF0F069F55534218565D0CCE518ADBD8D5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:21.203{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 354300x800000000000000062783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:18.321{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51252-false10.0.1.12-8000- 23542300x8000000000000000124377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:22.765{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D7174855FDE7C64C8C75172DCFEE62,SHA256=C9426C5A8F668ECDF0DAC628ECA5EC6026A9EE5CBA59F3A21DA96E607B56637D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:22.507{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED9782E2A9465093E972C16EE8B3D6E,SHA256=31F4C0D9022559C53E0CF10F1F4435EE699713F1391BAB60D14D717D4D9931E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:20.152{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61636-false10.0.1.12-8000- 23542300x800000000000000062786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:23.711{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C243DA4834BF35923DA427E80EAA5C,SHA256=4EAE706EDB98BBC7285C94491808F2E3AEA2A9844DCC27F4A8E158A28496AC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.886{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFEB9AD33BB31F06A9ACA226AB824A8,SHA256=9435362515FFABE1A6D4D6504F8843B977E8C21D3BC0AE75F3248F8DD7233740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.165{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1a24013|C:\Program Files\Mozilla Firefox\xul.dll+1773eac|C:\Program Files\Mozilla Firefox\xul.dll+1a4a22d|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:23.131{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:25.023{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CE40CB0D5D2332B2B9519669BF01B0,SHA256=0E6D7D4847595231A960E2C3E98F48BC38C464B2DFD278FD6BAE9D3945FAC8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:25.032{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12E9094710BA32817B0F14906456D72,SHA256=3762673A81460F37C86AACF1670F3E5E496E5402AF907F8C43EAA1A0C053DBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:26.226{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44627C98E9DE7BA362D741B13954937D,SHA256=525222B5AB4FCEA86CF49B00EE2338E27526AA3D1EFF9EBE5F7DC92A290A6344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:26.184{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0702385F16334931B34A641E83305FA8,SHA256=CD46B45C84298E94A448365006FE75B397819750D5E5DB67F2EA016DDCF330B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:27.539{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD6575BDA117CC8571329C58DD79920,SHA256=F55FB88CFAB20D44C58BBF8732B9F1C5E3B27E80F8763302309E41A6F37FE9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:26.125{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61637-false10.0.1.12-8000- 10341000x8000000000000000124399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.682{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 10341000x8000000000000000124398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.514{99CEBDD5-B917-62E7-4405-000000006A02}73126208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B917-62E7-4405-000000006A02}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B917-62E7-4405-000000006A02}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B917-62E7-4405-000000006A02}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.345{99CEBDD5-B917-62E7-4405-000000006A02}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:27.214{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DAD9A6166AA1AA10E145DB2FBD6BF2,SHA256=AC7776D547841972FF34269E5F7746136CEE93AFF34C4A9E325709C00E7416B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:24.289{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51253-false10.0.1.12-8000- 23542300x800000000000000062791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:28.632{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552CF9102F1EA33AA406E0D53913C03B,SHA256=BEA100BC68E343A7F73DEBF3338B2512570468294256C593A20F57014AC599E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.690{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B918-62E7-4605-000000006A02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B918-62E7-4605-000000006A02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.686{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B918-62E7-4605-000000006A02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.687{99CEBDD5-B918-62E7-4605-000000006A02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.566{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.413{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=375BE93AE2E28BAAC43D00819355ABA3,SHA256=F583D106012C486CA3E3B11871E78D6C06278ABA2D34AA2459E20067B12E6F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.382{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15F0E77F9197F1738C157CD76FABCF34,SHA256=D99670CC2E99C358C59A8D1C302DD0B390DDA5BDAD6146AB6DD0F9D360DFF701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.344{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C814D9142278FAFF17E761030EB5A389,SHA256=8FEAB3414922DC5A3DD435557120A4CB8AA302528BACF924E99080E36C401CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B918-62E7-4505-000000006A02}9528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B918-62E7-4505-000000006A02}9528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B918-62E7-4505-000000006A02}9528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:28.014{99CEBDD5-B918-62E7-4505-000000006A02}9528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:29.836{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1CD4B78C54321087C251BAFE618F71,SHA256=70D13D987AAB04EB425EBEEB6C1AF21FDC2517DD4A967146ECB6DBCFBFC93765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:29.395{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE820B0268590D9C33124C1B1C96183B,SHA256=057B0556A27DC0CC3DFB25A58C26D3005ACC3C6D89110C279B0043ACE11A13F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.938{99CEBDD5-B91A-62E7-4705-000000006A02}79409824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.766{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B91A-62E7-4705-000000006A02}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.763{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B91A-62E7-4705-000000006A02}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.762{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B91A-62E7-4705-000000006A02}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.763{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.763{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.763{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.762{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.762{99CEBDD5-B91A-62E7-4705-000000006A02}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:30.506{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C8339F544464F6C2FF3D5912ED6C29,SHA256=B4DD5A81F865D7013804A2FE54C29C72E01D3D7FE9D01BA470C293B5BADA366C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.991{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B91B-62E7-4905-000000006A02}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B91B-62E7-4905-000000006A02}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.987{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B91B-62E7-4905-000000006A02}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.988{99CEBDD5-B91B-62E7-4905-000000006A02}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.587{99CEBDD5-B91B-62E7-4805-000000006A02}73289144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.515{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7BE984295B648A925F703066C48092,SHA256=69D1DC3C793264ABAEC46F55A8031A6E075D666F263BDE6DE2A59D1031F7E193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:31.039{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CB52D62D28085EFFC9AD15FCB80211,SHA256=D0E629EDFE85725F5E93AED5DCE293E32D03EED48EA9965772F15BB8E4CDE15B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B91B-62E7-4805-000000006A02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B91B-62E7-4805-000000006A02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B91B-62E7-4805-000000006A02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.427{99CEBDD5-B91B-62E7-4805-000000006A02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000124433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:29.635{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61638-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:29.635{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61638-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 10341000x8000000000000000124462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.908{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B91C-62E7-4A05-000000006A02}9420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B91C-62E7-4A05-000000006A02}9420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.904{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B91C-62E7-4A05-000000006A02}9420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.905{99CEBDD5-B91C-62E7-4A05-000000006A02}9420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.672{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-128MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.532{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2845D327D4CD3435381584788C547A71,SHA256=428BCA6948C85ADB847ADA99F730FDC7481F623903C95E2438E73E86705ACB8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:30.305{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51254-false10.0.1.12-8000- 23542300x800000000000000062794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:32.242{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D00A892645C410995CC4ECA4AE3B8D1,SHA256=B8073E604CC1644042736D9BFDF838CA09585F3D66544CB7A7BB25236C5E1669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:32.151{99CEBDD5-B91B-62E7-4905-000000006A02}95806544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:33.673{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-129MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:33.553{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63881EB81B4BFE9D189CDD5A68DD6597,SHA256=E0986831BF7D5354BF14691C478E4B27D604C922B3045B7E0C4B53E58951B2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:33.336{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FAB0BFE42D1AF19DFC0F8B04843918,SHA256=F3858D230EA0D742DF7CEF070EC945D8B5781FD2C4D4E3BCCBE7F6FC5B5FB386,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:31.290{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61639-false10.0.1.12-8000- 23542300x800000000000000062797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:34.539{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A91B7A77D33DB109E2E4D88CC8E80C,SHA256=CD9CC7EF317DE495052A0075DDF36323523B1679A12AA03ABB0AD14444C92151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:34.564{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AF2E331A4CD8BDFCAA80CAFDC8962D,SHA256=11815D044E57B0AF10804099A7DF083751C319A17BAC9F64E8C1748CD524822C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:35.632{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C24C4B9B88420FD97B994F015D61FD8,SHA256=6FF908E15011151A0E62471D8B577B9361869899A613FABE35241CBE77B74CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:35.569{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C5B570C64ACC574FDDEBD462120C83,SHA256=3EBB5C7072BAD7ACF20501DC6240B72C25E8ADC04B64E0286339DA9CA1F5414D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:36.726{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3335AE860A7D6ABD45EA6255A0849B,SHA256=C2C2D79D17DB2E3D051D81A014595E7A8F134C0A42639B678AFB3268CE858239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:36.580{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B32F9BB990E355B2E3DF2F921EFE394,SHA256=216076A9AE002B7812963F5A8ECF84144C3A3898444F30FBBC5809FC993DA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:37.929{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE2DB257AA5ED53CEC8FE72BBDB6D21,SHA256=F116BFF81B8C22357974DE3027BB54AE695BF0242571874E4137DF3497C701F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.934{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.934{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.934{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.922{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.922{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.922{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.922{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B921-62E7-4B05-000000006A02}8380C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.854{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B921-62E7-4B05-000000006A02}8380C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+6d01f|C:\Windows\System32\SHELL32.dll+e085e|C:\Windows\System32\SHELL32.dll+17acfc|C:\Windows\System32\SHELL32.dll+198148|C:\Windows\System32\SHELL32.dll+2844f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17afa0|C:\Windows\System32\SHELL32.dll+17837e|C:\Windows\System32\SHELL32.dll+605f1|C:\Windows\System32\SHELL32.dll+634d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000124470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.805{99CEBDD5-B921-62E7-4B05-000000006A02}8380C:\Program Files\Notepad++\notepad++.exe8.44Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\bbGD63Iv6E\mdO\2IF.cs"C:\Windows\system32\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=0D7354F5A3B20A9E42E66B926DAA115C,SHA256=44920B33FE06135920CD3EDFCC467C5E04CD24A20F157D0666C299FF1E75F1F4,IMPHASH=106BC08A539BA691222AAF2F52A2FC20{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000124469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.597{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05F71D8D41C88402C9CA5F54AF13C30,SHA256=23B5107CC02A99123779FBA9F3B3CA8B8C4FEE9B856392535D1A3C4CD545D5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:38.911{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775472193DE50418D0322881D5A77B02,SHA256=79FDC39103459E73F02DCF62229D7BBE1B69A0044D69B08C0B2798D0B741010C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:38.715{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E42C8D664360DF2652EA0D06FE66624,SHA256=6CDA237275819E23EABD2C8AEAD9829B1673F2C022CABDF311862506F7C1A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:39.724{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6631F9112E266879255357D921E2E531,SHA256=4FA3559A7A1880C00BAD024E8A281CC58E03C4F791A6B30605ED0D7F6FAC9AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:36.258{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51255-false10.0.1.12-8000- 23542300x800000000000000062802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:39.023{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95E8B2F37AD0ABB22B07D00C8E0E9A40,SHA256=99B1EEA1ADA6848C39B1261AF6CC3A1BF26661B7117A9CA8D7590DAC07DDFD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:39.023{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353CBFC7EE1EFB7CE11A41D1170E8159,SHA256=92F518B9F3414B4BCD2AF4A32CE04175FE504823A04AE5450A7B423102690FA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:37.256{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61640-false10.0.1.12-8000- 23542300x8000000000000000124488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:40.745{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE06BB5E23480F0AD4B5AC3136A8C27,SHA256=C49A6C22E230DA957C9D5EB982F0866C47BB0C1550FD961758829DB1123B4105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:40.226{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18970C466BC96CAA8F09EA2F1EC6F1A7,SHA256=1A598FE6D51B94EDBD0F6315543FCAB1B4613814C514C22A3B701534AD7CDA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:41.771{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38F999E1E08514F4453D0F8701050A5,SHA256=A3E11DB8BFD714898EBDC6BEE27532CAD9BD5F44621ED84B5EE92E680DDD14C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:41.320{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B5A969C259FAF398D37ECF03A314D,SHA256=014CE6C8335F2A7425BF5DD4D4BE01CC1ED879AC08D3C0811BF59B3F0DF630B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:42.879{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB06BA5D3F7B5B6DCFB0793A0252F8E9,SHA256=A1748E8978AB6DFD14B7F4D617DEF0CC69B25996BC1288DACB1B6445B881C337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:42.523{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD85A9613321AE8EE1E477CF33D00B8,SHA256=0A5CB9392CAD76A6180107F1368495B77C7FA4F55B391834D1907C5BB84FC96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:43.894{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4002E9BCEE457FF483244210A4CCB713,SHA256=53D35D2D435A365E6269DB8B457E430EA63AC220B1A37A4D9E4F48B274AB0829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:43.617{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B2249F2876AF7CC4BF6F69C83A966F,SHA256=E34D384D2DF3EBF4C091A8D7F17E0AFAA1DDDE2CA38E47A70F017DC49113D6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:44.911{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDFDAC8B6CE8C242BEC90382894EEC6,SHA256=04FABBF77028DFDE6B30017E30215587BF06514EB161BEAFF3A02826DB974F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:44.710{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8580B7C8D155D7B31AAFCA187AC980EB,SHA256=86C8F030CACD030DA381DBF7BA31F0CF335A41BD5E5EC53059724CD4BF98E06A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:42.195{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51256-false10.0.1.12-8000- 354300x8000000000000000124492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:42.266{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61641-false10.0.1.12-8000- 23542300x8000000000000000124494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:45.929{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BD10AA777C09AD857792D2D020F165,SHA256=FF2122C51BC49267737E36329616305575E961CCA8B37FC5E5613DB6101DE0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:45.804{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10640983EA706113D464B0B15F497A11,SHA256=86268BE3BC77211E482ADB62F2493B7169E44945A263C9D11EBA3F26AF0039D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:46.938{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0856DC5AFF6E6A500FA081CB2E16D2ED,SHA256=21D828F9DEB42C0A1A4BA1D72D63DFE3F744E7A0D121C53F87157F6F756FCCB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:46.898{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F472977EDFF53D23C865D045125DB0CB,SHA256=CF18F3BD44AB5999DBF2DE4785B556E1D75EA0330E25AC80B902DFC46997F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:47.955{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D1C16098798A245238603838C84D05,SHA256=FEC8EC55EFA46D6E20B77B228DD1F266167FAF373D0D003900BCC695E8CB2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:47.992{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C45BF29B0DC891BA6CA4A3402C0EF2,SHA256=4041B99ECAB34CD8811475A17CE970B2EC175CD56D7E7175B8A73B720A8635E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:48.343{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x800000000000000062813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:49.304{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E662F4906044FF854785F78DA3D99F,SHA256=2E0FC3E3DAFA391225782B50F74C36D5F056ECBBC05C8A246D6EC7C4C2BFA41E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:49.836{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:49.081{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B7D928595D43F9EA2BCB43FB3B812F,SHA256=B2C4C19EB4A8872299DF32A41D581CFE212A1ADD15C6720564404E8745EF2483,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:48.227{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51257-false10.0.1.12-8000- 23542300x800000000000000062814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:50.398{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06BC6B7D731D9989EF7FF40D5F70E82,SHA256=A24B629461E0495C1D7A027A09E3B27DBA2F95C199FF818AF138BBBEE88547EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:48.202{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61642-false10.0.1.12-8000- 23542300x8000000000000000124500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:50.093{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76167A3172A7F79E02E871AD5A934A91,SHA256=2B9A7A97D580F9F140B1525ED374748BE94B3A994E506292BA646A9D46814E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:51.492{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FB2E7915B86DACF5697047FC9DD04E,SHA256=8FECD544ACA5FB6C0B855CD86E9FF08349ACB28FA4E730807C0269F710408EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:51.113{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB338F113CAF1EEFE99FF163400BFBC,SHA256=1C21367C57D7EB56CECDACAE38408B8E329D9E4E49C2B4E48E5616EBBB417628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:52.695{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF8F396D9500B36BF9A74DEBB60DF28,SHA256=5F988FEEB67DC667F1559C768FED2F836B7FD1434A954B286B4F58FA102B5D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:52.130{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645B21921509C67B6D7E99E5B405BED5,SHA256=57E71AA1DDFAF51DA159049F6D306A8BD5CEDFE5AD7325D3119D6DA13234F6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:53.898{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23BE8F912CB3F68EAFDA29EAECCB373,SHA256=78F5EA3497217825CFD63B77C7C0F44326BC23FEEDB24BF85D6C75C914CBD071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:53.143{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9850631329876D01C7F1CA164977E912,SHA256=0A431E64E4C6C1046C17DFAB55637B9C4539DC5C627E6D401FEF3938ECDBF871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:54.992{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6A62EFBED059F43CAB6FA30CFE103C,SHA256=A7A2949769C4BD8BB54685B2BB349B8023719DFFCC7CF6C5D4FA72A5D81A3C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:54.152{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCD098CC90C412C0BBF9A62E308FED4,SHA256=25885EB9F42452A083B43CB20E4EBA797D121077781352EF671CD2BB30F79F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:55.960{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:55.757{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EA160C0F63E65D6781C0FDC7F725419E,SHA256=FA6397616989474D14FC7A7263BF5213F403F49813327F5A7EFB2E67B37D66C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.730{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.730{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.692{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.692{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.692{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.682{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.682{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.682{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.682{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.401{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000124512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.341{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.341{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.337{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.333{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.329{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.329{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B933-62E7-4C05-000000006A02}9564C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:55.177{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA470F5A9CDAAC0FEE074A3E04E05F71,SHA256=FC0976F3CE2D5652017366F16016BD0A8270E5AD896CF70037E2AD74FBD2443C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:56.403{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94DC7E1029397ED0EF86E082D3A41326,SHA256=343439AB22DDFF74CF2B83F77CB419F57B1BEA1C652D7F09E8D1834444A58431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:56.294{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34651EA148454AFF948ADB3A42FF2E39,SHA256=CE633D7FD3B42777457F6FD29E6B40B7A0DE19F1D25627B7C29513FA5F3E4CD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:54.151{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61643-false10.0.1.12-8000- 23542300x800000000000000062823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:56.304{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E12870B1CED4159788D41C7F8E70978,SHA256=5CAF2246DD54127FE7D6EE403FA92D3C6775C2935968EF89122B7DEE29C0693A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:53.398{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51258-false10.0.1.12-8000- 23542300x8000000000000000124526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:57.301{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAF7DB1876185FB404591CB65A6B90A,SHA256=B1192541BCD433F640C901C0DA87EF86E885627DF04A0E02A769EF532D90A4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:57.289{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E7ADA1EFADF7E448919D160CF69602,SHA256=06259DF7859BBBC65E4E2E8FC4D2E45809A158060D62690FAA341FE27AE2B567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:58.469{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=51077B28702687AD70AB6AFE6F2DAE06,SHA256=6847A328C7FDCFE84CE7AF9321E0E6B419CCF873CE97AB3D9DDA393714CADB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:58.309{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190361C315D0EC8E98894541CC72589E,SHA256=486DF727CF701B9DB6B6C40373AD9FF8DAE92F52833D31F511BBFE34D4979292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:58.492{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7391D1AB6F8A2B2A5339ECBB8876724,SHA256=793AFFFF2DAE77320F86505B8E3D7CDE2EA5BCB7238F1B5FF551136124311A51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:55.117{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51259-false10.0.1.12-8089- 23542300x800000000000000062827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:59.585{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3E0E0602298E64241B9C74077E0036,SHA256=4C603BD815CE7217A749138C1F0B012A2BEE8A77B7C3DF57691CC596EE17EEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:59.334{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109AD0B6E3D9D0EBEF74BB438B91F283,SHA256=34D8F28D462E3450F7309EF4FF93798CDB86253B2403841B545C32459F6F57A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:00.679{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4043A921681840E9F9C7E4ABAF942E85,SHA256=F1BD09AE8D8ACEA652B9DAABC43693F74ECDB3D6916137D8C1A4AB8E648EB9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:00.443{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B86674581A1E2B0741292ED52F3DB4,SHA256=8465029EBE4F6726436335A0450A825919C1C64319297D79E1B0C5CD6F351A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:01.882{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45BE3E18B2A189C68E4E67D0A6D00AE,SHA256=501C69A54E0E86B980DA8345100072A0B7DC28087CE7C14306121B3D4FB2A050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:01.460{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B52CE802C1DC42D1ACB3BDF9CBAC4B1,SHA256=9DCC5F40E6321C7D08F3E64EABB5DDAABCBD0CD5390766CC9297B34B63CF9D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:01.452{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2BDD1D89B25BEDFBAFFF1CE968C81ABD,SHA256=BBEF77247B5DCEABB785C657E80B8DE22F4266F6A4D161A168C66A3DD38177F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:01.328{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x800000000000000062831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:02.976{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F28882DC3A989706D699E306CA7E360,SHA256=6BBA8290BAA59071B7FA776F9EEEEF102E0522EBEA44C00FF26453194B3D4DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:02.475{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E3E47FD7039EDBD2D165D0F8F08A33,SHA256=D7A34C213ED9B3F7E66D350B885A0FC3B9E5B20E6D628A4FE8412A6562A6BFF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:59.258{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51260-false10.0.1.12-8000- 10341000x8000000000000000124535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:02.443{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:00.118{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61644-false10.0.1.12-8000- 23542300x8000000000000000124537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:03.492{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E1A9521B3F1F8CECA9A32E0CD5443B,SHA256=4610253BEFA4AB5FC14155F2E173F4BC76598D18E335591FE1E074811CE0B038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:04.503{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F289420DF1E717F897A5D0893DEACC9,SHA256=AE4DEC1694FDAA289AD59A6337BE3D75EF08D3B61E72152FD99227F411B453DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:04.070{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD6D8BCEE2CE6BA002FA7BA2AC49B14,SHA256=6DB46EA80066B4ED97415E5074EC8674CD2D5FAC445DC6FAF3B4FAEDA92A9BDB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000124539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:02.523{99CEBDD5-9BF7-62E7-F600-000000006A02}1644www.google.com0172.217.1.100;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000124538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:02.522{99CEBDD5-9BF7-62E7-F600-000000006A02}1644www.google.com0::ffff:172.217.1.100;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000124542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:05.512{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFF5F50B9AD03CAA50C477F8910B7BC,SHA256=9C8A980ABDC168A0BD083E109AB0874AC17BE537C64E0D24B2459702B4AE8AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:05.273{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10BABA8FFADC2B43B4783A42E34E151,SHA256=7270DBE00C0CED7873D69483FBF448F9D08D30D2AAF2A3356A9E0337E7589B1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:02.516{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local59123- 23542300x8000000000000000124543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:06.524{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59C666F41434F19745CFE2D3FCF61DC,SHA256=F82DD03CF246ADD79AE111CEEEEA518D077E7DE2B91882087C50EB9CC7ECFAED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.929{6DD70E3E-B93E-62E7-3F04-000000006B02}2780500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B93E-62E7-3F04-000000006B02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B93E-62E7-3F04-000000006B02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.710{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B93E-62E7-3F04-000000006B02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.711{6DD70E3E-B93E-62E7-3F04-000000006B02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:06.367{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3590E9035CD5ED9CD77D0963EA3B8717,SHA256=8283AF1838F4800A53814E93FE71CF6A98BCAE4243743F7990AD7174626C5181,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B93F-62E7-4104-000000006B02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B93F-62E7-4104-000000006B02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.898{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B93F-62E7-4104-000000006B02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.899{6DD70E3E-B93F-62E7-4104-000000006B02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.820{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAD56B6DFA4A41DBE74063BE6FE62EF1,SHA256=63B658BC1095D07EC6F17687D1BB4D7B20AE294D8FE1C4EE75929274897B34FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.679{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176929B46A240130E39A7D3700675006,SHA256=A6277F966A10CADD033805E3B328E318DA24D357E372C828927AF552B5351172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:07.941{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-AAE5-62E7-6C03-000000006A02}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:07.549{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDBE45658257CFC301ECD5A090B83AD,SHA256=6D5E04589882A24C9C083BF267E2A51F2586695D9DEF082A029DBA94A6A0C93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:05.217{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61645-false10.0.1.12-8000- 354300x800000000000000062862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:05.274{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51261-false10.0.1.12-8000- 10341000x800000000000000062861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B93F-62E7-4004-000000006B02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B93F-62E7-4004-000000006B02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.382{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B93F-62E7-4004-000000006B02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:07.383{6DD70E3E-B93F-62E7-4004-000000006B02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.570{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307B6482325F1E26A0BA682732BC3180,SHA256=F40733D20DA71BCAEBADBE20C3E9AAB64A2111AB97C7E12A4A2A259865165F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.454{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.454{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.426{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.426{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.426{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.418{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.418{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.418{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.418{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.104{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000124552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.041{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.041{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.037{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.029{99CEBDD5-9A3F-62E7-7D00-000000006A02}32289904C:\Windows\system32\csrss.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.029{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:08.029{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B940-62E7-4D05-000000006A02}9304C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:09.583{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5344492592E3C1376B2629AB2A99EBA4,SHA256=E3C43B6E0F969A8B5597101CD63CAA6AE8EDB0400AA0A2CE3008C4062A3D1D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:09.335{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E6CD8A792FFD40A24EA5EE082EDE66E6,SHA256=91F097C01344619B7093165F426421AAE34E5EA8ED62FA6942290A98227C6C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:09.007{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE1D9BFFEAB7B6C4B39FF6356D08EDB,SHA256=0272B20F0A01B3F5D3033E878A579CEA41C397EFA6E1D92D7DFA2EC0A183FB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:09.127{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=470B85A554035BAA716CBFEA55FA967E,SHA256=2DDC7A25ED1B3DDFB57A1AB32FAB9B27EAAF50E48061A716D2C15359A589A7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:10.592{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A98123AF4E8ADB1A250EF0691946BBB,SHA256=EE17807A4C6938B4093E84B36CA3BA675792622035505AE082E9320FD619E84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.335{6DD70E3E-B942-62E7-4204-000000006B02}38803172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B942-62E7-4204-000000006B02}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B942-62E7-4204-000000006B02}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.163{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B942-62E7-4204-000000006B02}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.164{6DD70E3E-B942-62E7-4204-000000006B02}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:10.101{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E32DB3AF095BD268042A4E3C8D4AA2,SHA256=E1D849E0B476409ACF46039056D7D9A117EF0FB5690E96A45C7FBB59722248BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:10.280{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\aborted-session-pingMD5=6B1B2D697147AA87648AAB73B11894AA,SHA256=01A74B36D76CA789EBC8631F2065C81E44608C5AAA9D7A9B9FA5E3836146D7A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:10.276{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000124567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:10.276{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:10.276{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7a9ae6.TMPMD5=E28227B6D6E494469AE6EF4D3E29C7E8,SHA256=FFE486831FA5E731F94AEE76A4513D77409B0F6376D19058D532A16B272B6CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:11.607{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0DFA9E233B20627A85F296FF4B0E59,SHA256=BF306F51081F0182057E024876B4C0EBB6C9AD463C1916458F65A7B97940A171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B943-62E7-4404-000000006B02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B943-62E7-4404-000000006B02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.960{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B943-62E7-4404-000000006B02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.961{6DD70E3E-B943-62E7-4404-000000006B02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000062909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.445{6DD70E3E-B943-62E7-4304-000000006B02}32083188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B943-62E7-4304-000000006B02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B943-62E7-4304-000000006B02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B943-62E7-4304-000000006B02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.289{6DD70E3E-B943-62E7-4304-000000006B02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.195{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86AF76A5A382B131F30E94DD8256BDC,SHA256=08A53521B9D9C84E4ACA9D891DE2F9D811FFB8E75A4A836A621A522BD7B42C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:12.618{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFF741F668CD380801624C43DF5BD2C,SHA256=CC70408382808F117FA20013074C66ED8CE14D568A74AD97B11E68D52D3B3390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:12.460{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95C06D817AE79870E4B06221F779D43,SHA256=45D231C22B68037548D6630D6532ED4F6AF23075C0AE66A11B82F7AFBFDAC562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:12.117{6DD70E3E-B943-62E7-4404-000000006B02}2476368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:13.627{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D8664442DAA0C104CF2FDA9410DED8,SHA256=DBDF6B23CA743379386D228010FAB0E71E73DD76DC12B03A5D3702D1611E0587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:13.623{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=E57B7B1EB36317BC4F3A1007A1E7CE83,SHA256=D2E6D314DC2A188103CED92487A415C97CA728BA7034FF69DF731846C982BFEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B945-62E7-4504-000000006B02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B945-62E7-4504-000000006B02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.913{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B945-62E7-4504-000000006B02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.914{6DD70E3E-B945-62E7-4504-000000006B02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000062926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:11.320{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51262-false10.0.1.12-8000- 23542300x800000000000000062925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:13.507{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4260D68726D58CAF48203785C869640,SHA256=ADF93652A11AAC782133219278033119255C1D252E00231EF72DD32F4423752E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:11.220{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61646-false10.0.1.12-8000- 23542300x800000000000000062941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:14.621{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-129MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:14.603{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A18D867D99FD96842B500B11F5FF50,SHA256=E882AD29B1A00946D281FBE7BD137F3C7F712D460D04D5EB75A5C3BCCA3B59E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.631{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6B2C9360E0FC81C0A426C855D82F81,SHA256=8388D94B45EEB6EDF681BF036D5BCAC9B91532F4E598F371DCC409C3B2609F5C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.531{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\AlternateServices-1.txt2022-08-01 11:30:14.531 23542300x8000000000000000124580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.531{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.531{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\AlternateServices-1.txt2022-08-01 11:30:14.531 11241100x8000000000000000124578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.331{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\SiteSecurityServiceState-1.txt2022-08-01 11:30:14.331 23542300x8000000000000000124577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.331{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.331{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\SiteSecurityServiceState-1.txt2022-08-01 11:30:14.331 23542300x800000000000000062944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:15.919{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFE3F60E228EB830E853F38322B4371,SHA256=458E5A1A2BB320AAA77A247AE6FF369A9356B283B51164AFA099AB587AAF5AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:15.841{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_113013MD5=53E7E76157E3FEE25C653929AA4778E8,SHA256=14A0DC942704ABB1365525806CE7BE99952887DF753CDF2AB9369DD45FF4759C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:15.833{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=9801FE3D735B3C0265C58D22A717FE87,SHA256=291AEFBFA0FD7974802F687CBB7FD5C52E4600B445E59CB24D9F013E47952F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:15.636{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38FEAD9A685E7524FBA5144A67B5432,SHA256=D8EB142447B3A0627E6438E6F95AEE7688257D107AE7C92B6380E0143F547C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:15.624{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-130MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:15.045{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0216521FBEB03311C960D7DC94E23D4,SHA256=81AF5FE57CD57A3099510D53FC3E6D4AAD9E0F295DD31E797A3D1B7F32E157EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:16.654{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1FEB52A293733B1C229EC5556602DB,SHA256=F60A92E1758544D629B91C3C7EC4E579917717A0564CF85FE242D00FD960D8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.780{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14malware.com61647-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000124587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:14.765{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local65535- 23542300x8000000000000000124586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:16.257{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:17.778{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x8000000000000000124590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:17.670{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9A4E8696E3F4E898D883910846C1AC,SHA256=39689525880B51E90758BEEDB0BEAB2F6238A6A2A258FFB3CA8D6D8297302918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:17.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE9EAC3672278FC4A08CEA7C981E4E4,SHA256=C097108FCC2927A1123270776A00131B654D0742822BF4F433084DF98F52AAE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.839{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1a24013|C:\Program Files\Mozilla Firefox\xul.dll+1773eac|C:\Program Files\Mozilla Firefox\xul.dll+1a4a22d|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.828{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.827{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.827{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.822{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.821{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.821{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.821{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:18.675{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D4B2632E9D9678AA90B6BE414F2B68,SHA256=AB4845E5C57AA97F78882F4C8CC92BC71F24A5943C87936066BE5FFD026D643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:18.436{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19866A43CC2FD1DE838FDC38BD6A25A,SHA256=BC47F7270BA25349C2355B9A4036D1297162A1F534878B0702BA9FC4857B02F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:17.176{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61649-false10.0.1.12-8000- 354300x8000000000000000124592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:16.304{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61648-false10.0.1.12-8089- 10341000x8000000000000000124612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.720{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B94B-62E7-4E05-000000006A02}1456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-9A3F-62E7-7D00-000000006A02}3228884C:\Windows\system32\csrss.exe{99CEBDD5-B94B-62E7-4E05-000000006A02}1456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.716{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B94B-62E7-4E05-000000006A02}1456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.718{99CEBDD5-B94B-62E7-4E05-000000006A02}1456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 23542300x8000000000000000124604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.708{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\4om6xl8d.default-release\cache2\doomed\27723MD5=501E0D69B84C03B2098C404BA02F8D39,SHA256=EB3E8415CE012FFA72D9D8093B3FBDFCDB58DCCE461195A972B156C619D88FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:19.688{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA048667B6590677AFB57A5BF307FAB4,SHA256=4A38FFC0B9D265E1B933B77BC1B97BBA6236F217B312E530975F55046411727D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:17.264{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51263-false10.0.1.12-8000- 23542300x800000000000000062947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:19.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198B3527B1B6F94241C7034CFFA03FF4,SHA256=DD0313D0375A5F3F1000422015D272400CBA0F3B19DD1FAF01131A349ACF2EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:20.745{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D633A2B4B72C4842160D6F4095D938A6,SHA256=51BF5AC3E221C10AF8FCAF49250792D9262F1D381CA21C1AB35F0C013A53AB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:20.721{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F651C8A5BD747C942E589231A7D843,SHA256=31B1155D3960FF306C81AF61C6B4CBF0668BDCCAA2877C8DF9569B30940B9E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:20.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833F5BE7B719A712E7029CA5A0F844A5,SHA256=D807F18A4E932576778EBCA2F00D27B9FA7EA7CD741B93481908E6147AA5E851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:21.731{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDC7641F0C0D0E1967900D9F0C14BEC,SHA256=4E9F08024550BD3AE29FC44E05A7473EF10CC6FC8185CEE3F52554055DF1BDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:21.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBFAADBE9C447C81722B5F2152CAF56,SHA256=EF0ED4C6223849DB6341D35BF73C0489A7CB388D4B138A7325E0586418D37F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:22.740{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04821F8C038D79A1234177898F77405D,SHA256=73C4FE846C3E9874D8FDE2F45C428DC69CE333C0E3D1CBEB9372B1008FE676FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:23.745{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DE54213E27D95D73B0D44F64BC59E2,SHA256=B2E5FDAA9D21A2E05D5B46D559B43B4CC1B2822F74FDEB08859D4B0BBC037DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:23.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD5B76597A6E95F0D8BBE998572B7D5,SHA256=7B8525A63603E576F2C54FCF49D42D0FD3DBD6D3FC17977E4DB71A22242A4CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:24.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1023885B193E3ACE77BBF2284185EDC2,SHA256=94B54DA76C603C9668593786296DCE63F9BF758C7B063CB11CCEDC230FDD3291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:24.123{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE1299654E0ED3B3C7A55B9168615D,SHA256=62581A860E4A5590A581885795933AF4A87420ED109B580F536E2C0A0647DA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:23.142{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61650-false10.0.1.12-8000- 23542300x8000000000000000124627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.767{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6F78DF13F649A2E1397EF137F9145E,SHA256=B603D721156F9F8351E181511B48F7129AFAA7E7BBE9DF3CB7303B69ED80F915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:25.342{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7A4C83FE41FADD8390767683D2A610,SHA256=064DDF2E9B2E3D287B33C6B0658F58BB92E0A4DC4149B287C7312C75A24CE004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.547{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.546{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.546{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.538{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.538{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.538{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:25.538{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:26.816{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=316E5FC0C9286E616DD0A6C0731A6677,SHA256=1D833C0BF1C1C9BFB8E8480AA9BAF702DAAEB50DA891C9F4B279DD4BA3E5A2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:26.816{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:26.776{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878F91A3CF5163B878B8C1E789D22ABB,SHA256=13ADFC5CAA946989F932B12A8B2897B5F4D34893D0C210CC9457EFCE071801C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:26.654{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7018943A5E24ECAC4DA017313BD6944C,SHA256=2B6EED06726E53140478113F23EFE90C911DC6BF80D71CF71856C966FDE4BDEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:23.264{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51264-false10.0.1.12-8000- 23542300x800000000000000062956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:27.857{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A98E6445F040E14D647FF4D2E5D0EC2,SHA256=9B5D5B6771568164E3EF264604C08016B9D4F9B09B82294B517210552591C02C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2A00-000000006A02}2644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2A00-000000006A02}2644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.950{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.947{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.946{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.945{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9100-000000006A02}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.945{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9200-000000006A02}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.945{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9200-000000006A02}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.945{99CEBDD5-9A0C-62E7-0D00-000000006A02}888908C:\Windows\system32\svchost.exe{99CEBDD5-9A43-62E7-9200-000000006A02}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.937{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B953-62E7-5005-000000006A02}8332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.936{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.936{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.936{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.935{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.935{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B953-62E7-5005-000000006A02}8332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.935{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B953-62E7-5005-000000006A02}8332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.934{99CEBDD5-B953-62E7-5005-000000006A02}8332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.797{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10F42103F40C39CFEB5B85F6F16828A,SHA256=6930DBB07F3081A1D8F79885CE076271FF968614E8C130765FA78CF0594DE186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.629{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=A7CF516B1EAAC840D9F0D908AE62D8D4,SHA256=E94654B2F64675FAD6EC968320100D9F855EB413CF821B52A72047CB6F12DCEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.438{99CEBDD5-B953-62E7-4F05-000000006A02}83242548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.257{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B953-62E7-4F05-000000006A02}8324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B953-62E7-4F05-000000006A02}8324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.253{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B953-62E7-4F05-000000006A02}8324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:27.254{99CEBDD5-B953-62E7-4F05-000000006A02}8324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.863{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4D0672FCEEFF8F440507A5DF85E2EA,SHA256=7ED32EA688D51B2E9BADD17F2E676BAD690F959499D62876F29D30687EBC28AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.863{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A50800EB4BE48BA56F78C61BDAD552,SHA256=5DF15416DF7D0F770CF11CBBBC01AE3863FB363C13EA40079C2304F17AF41A36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.602{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B954-62E7-5105-000000006A02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B954-62E7-5105-000000006A02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.598{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B954-62E7-5105-000000006A02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.599{99CEBDD5-B954-62E7-5105-000000006A02}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.535{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB4A8A0200961007F739D351AFCFD8E5,SHA256=B579ADA414E591E6D9B28F0355D4E2392B153A36BED5E4C25AC30C5F0BE6D406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.310{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6192F7363E60EC2C0AA6209B138750A,SHA256=9027526A8975498ABB7CEBEBFB6C37E365FAD11E78158320BE5CB7AC185A3F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:29.980{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DEB0A660368E1C85C006C49A3FD8CB,SHA256=618741796F6FE20385F48997DB46FA3E1BED227D06BB65C4A6D6B698C26CB849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:29.170{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A12471B64900D88C48132807020F46,SHA256=B0A9AACD6BF87C98B34BB9330A5FC44A37D1D975A8B255B03B3358A8876CC141,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:28.152{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61651-false10.0.1.12-8000- 23542300x800000000000000062958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:30.373{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE04A8A475AD758E4566DCC58D039DA5,SHA256=CF2EABF7B76A00A40A44FDEE17AF4F3D845350F24019A79EAFB66F5846C6A42C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.952{99CEBDD5-B956-62E7-5205-000000006A02}80726484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.764{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B956-62E7-5205-000000006A02}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B956-62E7-5205-000000006A02}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.760{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B956-62E7-5205-000000006A02}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:30.761{99CEBDD5-B956-62E7-5205-000000006A02}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:31.685{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F7BB7B5B4AD8B002A802EC326A84D8,SHA256=6200083C264C904F2D89AD2981CE1B34A5E957C5989DF20810B9F50B77692DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.601{99CEBDD5-B957-62E7-5305-000000006A02}80765340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.433{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B957-62E7-5305-000000006A02}8076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B957-62E7-5305-000000006A02}8076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.429{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B957-62E7-5305-000000006A02}8076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.430{99CEBDD5-B957-62E7-5305-000000006A02}8076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000124708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:29.638{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61652-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:29.638{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61652-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 23542300x8000000000000000124706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.000{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B449BC0FD0B058E4E5BD2DDA4C99BB3,SHA256=3FA0A6F219614A964B586BBA7A4AF15A9FF6D1516B7EDF815C0E1FA52E99CF92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:28.342{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51265-false10.0.1.12-8000- 10341000x8000000000000000124737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.903{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B958-62E7-5505-000000006A02}8812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B958-62E7-5505-000000006A02}8812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B958-62E7-5505-000000006A02}8812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.899{99CEBDD5-B958-62E7-5505-000000006A02}8812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.318{99CEBDD5-B958-62E7-5405-000000006A02}56764128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.106{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B958-62E7-5405-000000006A02}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.106{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.106{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.102{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.102{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.102{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B958-62E7-5405-000000006A02}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.102{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B958-62E7-5405-000000006A02}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.103{99CEBDD5-B958-62E7-5405-000000006A02}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.014{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F76381405C89FB2B27E0DBFEE01E53,SHA256=B23340330807442EADB1FD4774706F40870EFA2556DB7DF18BA58D42C9CCC0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:32.006{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_113027MD5=0BB31B25557A68ED32466E486BCB7F9E,SHA256=A3139B07A04AC41C8A0630DB578EB0154A8FE400DBF725CD552E4FB49347566C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:31.998{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=3A6E6062F0162FD604C70E8FF2A12A86,SHA256=F3A40E01BFA2671D9EB92C8CA6C5AD4AF3413A5D00D4BDDAAA44BD95910B5921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:32.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D36BB6308A1BA40EDE3CBA89AC7364,SHA256=68BA7B322F459278328FCC88F57F086230BE4D40164C21DBAB7B9278E196CDA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:33.245{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x8000000000000000124738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:33.042{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EF0187986E0E531E52430A54FBFDAF,SHA256=DC32392E6408045FBCD63E2F828A10A28FCFE943C84FC9548595A879D8EEF7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:34.310{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7ED055617ECCA7D74831F49815B0160,SHA256=8A19BEB19C96FBB905594A140CA904940628F6403EAE2695C3AC9719A0B7BEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.905{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.893{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.893{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.893{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.889{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.889{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.889{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.889{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:33.254{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61653-false10.0.1.12-8000- 23542300x8000000000000000124741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.182{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-129MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:34.049{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7EA037575A44F9A2A2083DE8777FD0,SHA256=28AD21AF259DC5F383B19671F16720ECFE06A7B3402AF1E4CEA8A6F10036011A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:35.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B717C87BAEB5557067B26825CBAABF2,SHA256=80782584B609A5AE1D5CA337D0086E1076139A10D6BD66C7685F005CB4C75219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:35.183{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-130MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:35.069{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C9BC7B073E2019BB946473DC23CD1C,SHA256=3B27FCA61C1F1DA9539F5F0895C1795E06ACAF29CD1EFB046DEEFBEC0D0F647F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:36.514{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAEA252351469F392B44EBCFB2B6BD3,SHA256=BB8BA98CE21453BAC5656334546ACA7560320F415276CED6EA18313DA795B80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.519{99CEBDD5-B95C-62E7-5605-000000006A02}9372ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Temp\CSC4EB9FCE4F0304B49A0A93E4B27AEFD4.TMPMD5=289A1FDD817B06199F2CC533451F9FEC,SHA256=5B2136F8B625E0ABC11B246100DA9ECC330F76EF9F81A7826E46043EBE0A9DA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.localEXE2022-08-01 11:30:36.519{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Temp\dcrat.exe2022-08-01 11:30:36.519 23542300x8000000000000000124771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.519{99CEBDD5-B95C-62E7-5605-000000006A02}9372ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES161.tmpMD5=7543CA758492D1CD8EEF8ACF8AD9D9BC,SHA256=65A3C4D50B08AECECB7B6F63CBA41F759851A40C1F52684AA51AC0B32BA6CE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.515{99CEBDD5-B95C-62E7-5705-000000006A02}2328ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES161.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B95C-62E7-5705-000000006A02}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B95C-62E7-5705-000000006A02}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.507{99CEBDD5-B95C-62E7-5605-000000006A02}93722660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{99CEBDD5-B95C-62E7-5705-000000006A02}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.506{99CEBDD5-B95C-62E7-5705-000000006A02}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES161.tmp" "c:\Temp\CSC4EB9FCE4F0304B49A0A93E4B27AEFD4.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.cs 10341000x8000000000000000124761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.350{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.347{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.347{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.346{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.346{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.346{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.346{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.345{99CEBDD5-B95C-62E7-5605-000000006A02}9372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 23542300x8000000000000000124753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:36.090{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF183E51ECD51468719FAB8137F3804C,SHA256=53261245BA5DF0492B62052E439201D10E72D0AA64D4B35C0665EB1305EC1EC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:34.311{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51266-false10.0.1.12-8000- 23542300x800000000000000062965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:37.717{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D8E30C24626A13E027B6F10F9053D,SHA256=B261B33265DE94018B7E2D0EABF55E9DC844FE597A308216E640F36E41F7BB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:37.407{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1AC6FB07401E479C8D7723EB02BC5E,SHA256=69F455F7DA22DD3F87910D80B82AB8E8DB20BBAD36B599C9A6BA783B2B73A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:37.111{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049082A80285C2136782A41D879D4177,SHA256=9246D57E4835C4C587661C6A0EEBEAE03EBB6D6A4A6478B58DB7D326384D3B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:38.842{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=320FA3013C6B8621D1E05991FF43DF5C,SHA256=CBEAB09B73FF932EFAC62BD191F5A326ADAAD7997B1437C1F512F78371410C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:38.810{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0674C42ACC401E3E68FDE2779E8AA342,SHA256=D7CEC0EFC817814BA7FA624EA1DB7C644ED3758D0D66C95D14EF3E211C82EB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:38.120{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6C3C671484F011BBD14A5CC543CCA4,SHA256=67B4C29B0811F3060086151367A235BEF1D9C5993E7CF0C985ED829CF7560940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:39.904{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFA2C767A148976A619BBF157BAD11F,SHA256=F6E40B97D4D6AFBB9A2AFDBE042B1353529E5B69955FF6CC8DB522A3E787F267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.463{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.463{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.463{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.455{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.455{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.455{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.454{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.131{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1428F52EE83E41EAFFCC78BDC9429294,SHA256=17EDB9A5C1BB75B37AE71B221F6700BA435A67F35DA6B58972D6AA1CFD8B9418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:40.140{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DD8FEE543CDADDE8005B54B3D3F4B2,SHA256=EF4FC6A94BC53DCECD0DBD31C4D4BC3973431EACA5740543D7AFFF0787D770DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:39.165{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61654-false10.0.1.12-8000- 23542300x8000000000000000124786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:41.155{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B79B311F65AFE66F69A3329F163BEA9,SHA256=93A9B1829E58996009399EBAE66E200D5C9BEFF96C3967EE8EA6508CF6847840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:40.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EAE21B9323E03BF9D728D3EB00CCB4,SHA256=51FDEA2CB0F2F742B80C1E1C745A1F67DDEF35C6A635EB6FCC5F6AA0B87ED056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:42.261{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6223094375F659AED7901CCC5019181,SHA256=AF4AFF5DF2B014492F73B1F9965A897AF580EDB46F0C676E3E5087E41B57A763,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:39.326{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51267-false10.0.1.12-8000- 23542300x800000000000000062971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:42.310{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256316F500E654738810B1168806D82E,SHA256=31BA7E22042B2F75EC8882B6452BF009E1B3CF478EBBD6B668AC1D26DC5DBA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:43.368{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACDA824901B0F2B1797AE2FE926FF74,SHA256=DAF7874C53F5140B7B8C5653EADE90228912BAD0E38BC36F84913E9CA0A2D21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:43.404{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ED52C5EC6ACEF58FA8EF67AC62815D,SHA256=43FB524DCA216F8C03DBFC2C139C2BC9739B5D2AF640D75394DBF42622820C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:44.498{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266A2A4909597BF89BA1EC20DF0E0B44,SHA256=6443EC2724EB11BB396ACED03E15ED99A9B72E43AB4F07FCB82571848862B34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:44.385{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314359295C56EABC9D6B5A2C7F59D9E2,SHA256=16DD5AD1141FF72478CDC0A1F593C947560C9C4954A067BB2A236AFF64F1199A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:45.592{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C10C2C2D34D76C2D62D20204293EC5,SHA256=9B287ADBFABB835CC0B0A88C2CC0CCA0065C5EB3204D6073B71FA0ADE0D331C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:45.403{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B93398C022300FF8EEF2615DA40429A,SHA256=CB41B07D4F51E4432E8F0B9D0D1C72A6EC543032108EC1629E27C86336FC81A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:44.272{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61655-false10.0.1.12-8000- 23542300x800000000000000062976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:46.904{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652630B9571023FB8376C1FC827FCEC6,SHA256=E6970BB0C8AB68A96CBF5B47B64D2E99B10F01053F85BC535F4CC272B6309B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:46.408{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D827CB85021253E46B0A15822DF698,SHA256=41C766D48BC4C0D918DA29FBE1DCD54028EBA9879B635A24ADE13C4BCF15C0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:46.251{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=F84981C5B1BAB6674EF958AB78BF8B36,SHA256=E4C1B4AF7D79C454B1207AE24A608E63E6FF99AD83FB7F9B27C3FE578C2E3ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:47.418{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A72E035FB21A8D40BD3DB25EB6B011,SHA256=FAA10768F7F3C7E3E314656204914C2D5176B2ABF6CDE1DEBF303F147845D1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:45.326{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51268-false10.0.1.12-8000- 10341000x8000000000000000124797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:48.996{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x8000000000000000124796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:48.431{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8249106270BD42FB4620178E28E00E1A,SHA256=9F8C448C19F26E6D4372155856F3ED6194EFCC1724F86128FD54631246BF770B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:48.217{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933208C716E2F99F5B3D143F71E77A2F,SHA256=399A6A178F65E7D0FE081BE4B993DCB34A9DD4953D512B461B8666FDA21913E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:49.452{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F921FF4E1B76FAB96B35164B916D87F5,SHA256=A1E6EE5B7E881D72F4CCD302D7A264706B1FE069977AD2ABCF6EC37F1A1AE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:49.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0289CBED6CE3C255CF62E9A340586A,SHA256=63BCF687F4C56A7517EE792CDF9D92E1B188544A358E52AB419FF8A8E4E474EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:50.638{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF524E66DE86F09BD20D8C6895019D3,SHA256=291A4148D0039372E70D930F8D50617AE4EAD4AED907C59E17EA6F07FDB9FAE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.526{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.514{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.514{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.510{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.506{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.506{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.506{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.506{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.467{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE53F3E5DFC3AB65DB48EEC2D04283C,SHA256=C3805066631284E4B53A0A86F6344D2943CA31E48CCECCB2A116606BA47DF66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:51.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE956FBBE0E455FC36DBEE196D560B3A,SHA256=5F681E75BB5851777064E4FE5BB7DFDF10094204F53907746D4FAEFF81EE83D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.752{99CEBDD5-B96B-62E7-5805-000000006A02}5944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Temp\CSCF42669433ECB4BFAB8EE1BAFB33E6DE.TMPMD5=289A1FDD817B06199F2CC533451F9FEC,SHA256=5B2136F8B625E0ABC11B246100DA9ECC330F76EF9F81A7826E46043EBE0A9DA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.localEXE2022-08-01 11:30:51.752{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Temp\dcrat.exe2022-08-01 11:30:36.519 23542300x8000000000000000124828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.752{99CEBDD5-B96B-62E7-5805-000000006A02}5944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Temp\dcrat.exeMD5=B63AFB20FBD8BADA5977A97F4E5E1030,SHA256=A27594E01F23E10874258150D25ABFEEE28DCFE7821EEF4805DE47CB716BC999,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744falsetrue 23542300x8000000000000000124827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.748{99CEBDD5-B96B-62E7-5805-000000006A02}5944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3CD4.tmpMD5=46554242D0211C70B027A344AA10E1B6,SHA256=84050648D359B0C739A7B796EFB3105940793C83E056682E9079B02F87D5AA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.748{99CEBDD5-B96B-62E7-5905-000000006A02}2012ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3CD4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B96B-62E7-5905-000000006A02}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B96B-62E7-5905-000000006A02}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.740{99CEBDD5-B96B-62E7-5805-000000006A02}59447120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{99CEBDD5-B96B-62E7-5905-000000006A02}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.739{99CEBDD5-B96B-62E7-5905-000000006A02}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES3CD4.tmp" "c:\Temp\CSCF42669433ECB4BFAB8EE1BAFB33E6DE.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.cs 10341000x8000000000000000124817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.587{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.588{99CEBDD5-B96B-62E7-5805-000000006A02}5944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 23542300x8000000000000000124809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:51.474{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41DC0C03FAEE5F5B0C9272A53531EEA,SHA256=D3FFC1026A523D32668809C30093F856F56064C8F76E0084D38D4A87CAD4E9C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:50.127{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61656-false10.0.1.12-8000- 23542300x8000000000000000124832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:52.653{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAE693F16A4D2D1299E0E066AC4FA85F,SHA256=68573315F9D33FF5EF9A8A60C0FB8BB4E3BCB90D23E56608AFE50420910A7BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:52.493{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C88E2E323A7BA61287DDCB9B2A7237,SHA256=5C1D1880F5A753FB07D03A42BBE10B6ECFB0728EF9FD0D49DA24762C1775C15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:53.514{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865CB6266A0E08E4270A22A4EB3E445F,SHA256=ABD13D24059C4040BF9F2EE86E3368C31928DDC90A3C2258AB498171C728FDFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:50.373{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51269-false10.0.1.12-8000- 23542300x800000000000000062982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:53.045{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA03944D5011D4327CE0DD5CC8707F8,SHA256=AE8628E1ADAD4BB9C8C5F7D6B9DABA666013BFF8B9B0E726E40C25128B700399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:54.620{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F07929EC39E216E10EE36F8CB6880C,SHA256=268FA9075071CC5CC432F7019A69AD9C9EEC2C70C410368C42E9C491449166C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:54.139{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4ADB89613B84AC3DB6E0A16B64172E,SHA256=6CA15C07F466EA0E8D97FD69B6A62FC5D9888302E04130EC00BAB0BC641B1202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:54.195{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 10341000x8000000000000000124844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.929{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.913{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.913{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.913{99CEBDD5-9A41-62E7-8C00-000000006A02}49406832C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.905{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.905{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.905{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.905{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:55.633{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6DF538EB85589571E59869D6568E75,SHA256=853149FE0CC6A3657088ED64C628A3C64A81CD1B2580DEB8C893C3E2D9E1153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:55.982{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:55.763{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8E52C481B1E9E5012CE6FBFC4628C8E9,SHA256=C9B04C091A8045B41939FE7208FB2D5C67DA8D9D2CD68F45C0B3620E8E311D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:55.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6379D9DEEB6C8256F613DDE8C4D7106,SHA256=1818291C5D439DEBB62441A829D0681FE7CBCE0A2DB092CABBA5B2D1FAFCF13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:56.653{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05ED988968BB4F02D895D2344E9A5BE2,SHA256=5D1AC721FAFEE2137E4A6857F0F5FACE06854312042F0612B60CFEEB94DAC635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:56.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1292F97CF5F0FF5CD74F667E4408FF,SHA256=91E53040056D22DC35F1A0E53845B4858828093F16CA13659245A6B16899FBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:57.667{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EE5C1FA6371B664D322B2C8659E953,SHA256=A953053F55DE9DDA7CE29864D3AB953BCD1F9E4A9170C9C109543F1D2372792D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:57.638{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36235B2E78C84715A9EDE38EEFDF66DB,SHA256=45DD693363DC7EAD065E26D5AAB5AAF803988C781E5D4E26BA61B3F3563BA82E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:56.087{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61657-false10.0.1.12-8000- 23542300x8000000000000000124849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:58.741{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EFD7559A1D70510BA809278F96C39268,SHA256=9FF685348930B6399776F54A06ADF861D1C142EADF81F3813F2DF55303E3DB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:58.678{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF3B866A4465ECF05A29054EB6FC90B,SHA256=79430E22CECB624040CDF5448BDCD587E980469CC596E82A5DE54248285EB267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:58.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B033AD124C9276D15515420C79A83D62,SHA256=C2902F0051E2BBE5D976C582AFD985E3406CBCC6EDAA8DA78A970FFA1386588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:55.123{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51270-false10.0.1.12-8089- 23542300x8000000000000000124850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:30:59.689{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9211E1FC21E246BCCF56034FCC055E,SHA256=31ADB7761069F4381745C1966D47715668857FFC7D33AC68180343D6065D4232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:59.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7F31AD27419E6C3B2D4ADDDE29530B,SHA256=4900B9F095942D82E2A3F33FBE183D3F5FFD03578AB309869FA9527CC4D88A3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:30:56.389{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51271-false10.0.1.12-8000- 23542300x8000000000000000124851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:00.695{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D8DF821B49C8F06FBECCE8C1BFDA0A,SHA256=4CBCEDE1E7869F54D7E94C5F6233F834C3A7D4662F9EDBBB1DA499FC7BF3D68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:01.708{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EC65718ED28720638ADAA70E590068,SHA256=B2BFDC55DD5551B36F9E47C879E83091FB3319D8B8A07387D76F2DCA6DE56263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:01.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19333EED4F5DA9AA9201A50C2F094535,SHA256=4DC81EC5B48C1F832F7AAB41395CEFC1C7E5FE6D1859FF2A7E4060E405660AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:01.455{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91159117C1F8CC3739BB30095D58F64B,SHA256=3DA5FF1E4C45F301A7A0708E8A7B00F871ABCF16C40208457A037CFEC3AD82D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:02.817{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8C9CF433A783AA04558E864CF4531F,SHA256=70086B2A0729C9335C3791C27B0B7F00B5E9C31DCE85006F164AB6AC32BDEBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:02.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0685FC2EDBFCEF10F70D3FA0FA4AE8,SHA256=5592B7797E0FE8D98615041721CED3E4DEDA8FF29A20893DE50FAB353ADF0CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:01.247{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61658-false10.0.1.12-8000- 23542300x8000000000000000124856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:03.834{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224699F1F8B5379464616404889EA1BF,SHA256=B8374998949A265D03354F31FC87289019B17C077FCA3E73997C73B8CA340C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:03.326{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC542E9E7F7790F8EDC817AE19798F22,SHA256=8A95CC33C32C019FE830DB80C9754B29E24559A8F6EF1AD856F969DD62E739B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:04.847{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA701F0253B854707944023B27CCA4A,SHA256=97AD0A14CEA5A975762988A530FD0C290D884ED7274719110FD551685A386F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:02.185{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51272-false10.0.1.12-8000- 23542300x800000000000000062997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:04.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2973256FCD717F6CF7BF80C07083C02,SHA256=80BAE73C2A40E44A5373175885EE8606456A9BA4BD1A9E4BC9A4070DD9EB5A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:05.860{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21389575AD63F8597C8BB7FC04842967,SHA256=424601703A72D51FC354B24908B5B4C7475CED8C52810F50070309F7C0D97566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:05.513{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476F60F9CC21400A3B74754FA34EF418,SHA256=492D7A15A6FCC9DEC08801E1CAB96D45AF9D5E126DE9A49733576978213FB432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:06.969{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB99B1FA24C562967DDD0D3BE4B907C,SHA256=C6F5FC8195C6E86986FADB400ECD199407CA148B1C9A83B7DC369244B754EE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FA512D09B0DB688FD6DFC3351FDB5D,SHA256=D087102C0B70EAA2737D325D1BBF0859174F5AA0DFF0066505F033CA57E94934,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97A-62E7-4604-000000006B02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B97A-62E7-4604-000000006B02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.732{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97A-62E7-4604-000000006B02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:06.733{6DD70E3E-B97A-62E7-4604-000000006B02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:06.849{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=3809A906FFEEC2674D101DEAED8D3186,SHA256=D3707FD85C59C3FC4CD24CA3EEAE4C8468EF4CF0C0E023E5611E6766943123AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:07.988{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C76A99EFF1C12751DFC08F81B6500E,SHA256=95587671EF3017755E1C26E8B2EB16AB939A3C2AF3CE83910373CF4B85F40855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.951{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63A23CCD0155E56C4DC08CA2A9195ACC,SHA256=28E011D1B800036E25A4CA57E4EC377A9DC11070B741F2B6E7F70F74995C16A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.951{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55685B1F225588CC2275E20B940EBC15,SHA256=C235C7DF62666C595BC7ECA7D70919BA63CBDA699F916C63432F6CBE1C1EA40C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97B-62E7-4804-000000006B02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B97B-62E7-4804-000000006B02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.826{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97B-62E7-4804-000000006B02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.827{6DD70E3E-B97B-62E7-4804-000000006B02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000124861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:06.315{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61659-false10.0.1.12-8000- 10341000x800000000000000063026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97B-62E7-4704-000000006B02}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B97B-62E7-4704-000000006B02}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.326{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97B-62E7-4704-000000006B02}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.327{6DD70E3E-B97B-62E7-4704-000000006B02}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:08.996{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1854E22DFAAB0EBBE3923989BFEEF231,SHA256=70412C7C0E5D94018CF6660BD71CA1A82337FC9F995CFBDD504F63FF49B899E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:08.904{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10CE228C3E6980AA9CD602961C243A4,SHA256=A28F0C573B9378C585F82AED21C87915AC9E7A9D5841D956C543A89F59545F42,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:31:08.655{99CEBDD5-9A0C-62E7-1200-000000006A02}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a59a-0x31cdf4bd) 10341000x800000000000000063042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:08.107{6DD70E3E-B97B-62E7-4804-000000006B02}38122800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000063045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:07.357{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51273-false10.0.1.12-8000- 23542300x800000000000000063044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:09.138{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=556DBDA283F268E2178D63F972CC5492,SHA256=6046910017038E1A26149532D6D0194D3A4BD05B975A3005D15C0A5517F23BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:08.673{99CEBDD5-9A0C-62E7-1200-000000006A02}384C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14malware.com123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000124865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:10.013{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C8209A05C8E9B6B0A0A3D3012C3D10,SHA256=E0B0454666C66CF76DD638B2BE91730A3B8434BF1D63D2FD29D0D303A5858DFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.404{6DD70E3E-B97E-62E7-4904-000000006B02}16123520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97E-62E7-4904-000000006B02}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B97E-62E7-4904-000000006B02}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97E-62E7-4904-000000006B02}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:10.170{6DD70E3E-B97E-62E7-4904-000000006B02}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:09.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF453C8CC9E42A5EE92B0229022F9BC,SHA256=42BB1639129307D11AA2E2EE6D6437B41CC808472D2A4FEEBDF008DC324E11AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97F-62E7-4B04-000000006B02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B97F-62E7-4B04-000000006B02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.982{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97F-62E7-4B04-000000006B02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.983{6DD70E3E-B97F-62E7-4B04-000000006B02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000063075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.513{6DD70E3E-B97F-62E7-4A04-000000006B02}4201864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000063074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA035953CD93DEC392355716A9DAC1,SHA256=4126B5B102B44571391D1258B9DB6D33665E6813746C3F09DA8CA828BCF27A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B97F-62E7-4A04-000000006B02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B97F-62E7-4A04-000000006B02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.310{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B97F-62E7-4A04-000000006B02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:11.311{6DD70E3E-B97F-62E7-4A04-000000006B02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:11.858{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=3342FFEED94944D2922F1FD40614CAA3,SHA256=640754E060E20AF5EF08AA8575A8FB8E855DF199AAEF59F433B721E507A94BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:11.024{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C46BB16CC32C554CD1EFFCA16F9636,SHA256=D0F20EDE692488F60048D87C4758A5CAADA3EAB7F5DD8968E0B9CC72084A5675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:12.560{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A31DE55C5A4FEA71AC7D5391A8D9DE,SHA256=F8C2FFEC0F3531353C969968872529F2E773C540FDCE0D0CA78DA253764F5783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:12.042{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCC8E78925A00C671B023E3BC481CD3,SHA256=F3714D36E4E78CF94800E33039A674BC54E72B07C01B4D9D1ACD1137A7DAD642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:12.185{6DD70E3E-B97F-62E7-4B04-000000006B02}36963360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B981-62E7-4C04-000000006B02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B981-62E7-4C04-000000006B02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B981-62E7-4C04-000000006B02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.920{6DD70E3E-B981-62E7-4C04-000000006B02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CB9923A74843B198C96DD31218761E,SHA256=ACE1E344BF6E6703A450FE1EFAAAAC2BA97D9D44EF2A03C2B2421E7BBB7FAA1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:12.188{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61660-false10.0.1.12-8000- 23542300x8000000000000000124870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:13.147{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF4793BFD1D085826E63AAFA0C4AF27,SHA256=7C8AD40BA515FC77B683296727297E05773B8A0B7B4327F285E61E740939BB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:13.154{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=535590B3E702DC48700D53A9E00CE982,SHA256=8486C66A2751C4EE1B6B7CE7441FD56E29D73D4439AEACC362A8E71B0F629283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:14.160{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D554FE361E2736CA1879B0CACAB9FE9,SHA256=A96DA6DBB1F8A3DCB69AE456FED03CC145A507C0A744A25F12AF75990D4ADCD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:12.404{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51274-false10.0.1.12-8000- 23542300x8000000000000000124873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:15.170{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31C00F2ECD255BE0676F1F80EE4E434,SHA256=98A302672821E1472CF6658230FA7D2125B64003ACDE227F18D595852151C23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:15.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472BCF0959B825D59DF5A5B6B6CAA180,SHA256=065B78BBF9636FBF45532F9EB26885F8EDA5B9A2FD837D79FF9646A6B8C34EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:16.142{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-130MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:16.124{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B863570683FB8DDA25C2A6BEBC80A0EB,SHA256=26574797878D5F0FF56355FAD33A7791D1F7DF7667BA507B6D629CAA40887F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:16.275{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:16.191{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D950FF1505DCAEA24CC5C0B1A903AA,SHA256=521FC5E7133146DF3D1BBA95FAF045722F175F7624910E7FED5EAE50764B8795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:17.216{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C4C4C5A00031BA4693FD311BCBBDED,SHA256=AFF87545630F62DF1577D303C9297F97DA031F758881DC5B82674E063697475C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:17.155{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-131MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:17.205{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97967AC1CF4BAFE599C1F76E82BFC404,SHA256=BE8EAB0B7B8BACDC43398B212433D122190BB56D6A284CE2541CC7B88D9369A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:18.201{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944C41AD5368DAE765A0CF3A92E3931D,SHA256=C5DB7AE7FC6D583B8A5464986952B8DFB8EB62043FD55468B921C167181E6379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:16.321{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61661-false10.0.1.12-8089- 10341000x8000000000000000124878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:18.289{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:18.212{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7CA52C72F2D1AF98F8CDAA47C67DED,SHA256=2A906C8ED40FCDC7EBAD473C66098C65A59ED133050C33CA3DC7CFBA276A359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:19.295{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9F1D4D014139FA566A909C8726A639,SHA256=85B8A15FF376396D254DCD77F510B18354D29DB4CB4F5730D1C1A910F2E664E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:18.135{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61662-false10.0.1.12-8000- 23542300x8000000000000000124880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:19.218{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E44C2733437CBDF2233408F3836E01,SHA256=36133FE67BEC5F14AF74142501F5D4A44D730035163B92920049556BFAC2861E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:20.498{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269B855A226FF5A8ECD233A10B3869E0,SHA256=D6BE2C16386877BB85A21F0E14194FF4AD7FD686BB773C8E80D7540C980E44DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:20.920{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=9EED2258B38F2E1C6D1C9213C36314A3,SHA256=3AF907FD8CB5531AA0ACE853E428A36F8693A02FC97D4BED9542F6A480C00A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:20.244{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE0670EE48C96A46398C2A563729093,SHA256=8438361B1A7B852DF6D21290E5B22EF5BDEFFEE08765F66E31ADB31074575E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:21.592{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3709419A3D6E9448C28CDA7007CA10C8,SHA256=C40C2EF8B913BDF8D70361AA8405D6B94E4F516D580D519C311CAFF0D53B363A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:21.265{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C91A81BA42F08D023768F62005DB03F,SHA256=4437DFB23C41796A5BB46EEE92A1245522EE7A1F19697E8D3F81C586F668FC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:18.405{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51275-false10.0.1.12-8000- 23542300x800000000000000063117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:22.795{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB86146178D7CD5DCD7176132F8F4A3,SHA256=55DA397FDE06E09CF856178FBF9C7DFF9BAF7F96E74683AE9968CE4B0FB942A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:22.282{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F648F400894A96BC5DC142F96EEEC4F,SHA256=664BCE93780C15ED7B5CF9552F37EAD513FDA91119F9546A56F305C14C81E35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:23.287{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E311E4187AF08BE872199A9EDB8A7CC,SHA256=5D8C02404CF1E7E7A20CA23E092BB543C1F0DD351CFA67BFFE7FE250B81CD79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:24.300{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553752A824DDEB2676BE16DF4A5239CA,SHA256=D08291DCC7C1E7B2071330613DE38ACAEC657ED2B2FC9F9BF71F8C2DB83272AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:23.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4225D4135E834F790ACE69D7948D770C,SHA256=956A5ECA89E596388251C32F9B66C97CF8E580AB3E6AB8FDA207D00EEE3CF125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:24.072{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61663-false10.0.1.12-8000- 23542300x8000000000000000124888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:25.314{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D1F8172D97B77B79545FD1D609D939,SHA256=B8F37F608BEEBBBCACB08183FE9D5ED267313265D422B15B75A3D58FB5F11793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:25.092{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D373288DC6FAC84A0FF8F329D6B726,SHA256=5DF0656878637C28A82009A29CB9833CC4CB74A071C1B9A8AC1AF3EDFFEF104A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:26.377{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E88317B18765E20875E42897E73994,SHA256=2CF1BAD41CA9049C6B9626E546DB65DB00A41278ABDA9F09C6614E821B213750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:26.186{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C0B3FCD91AFA93E53FAC510550CD9F,SHA256=308FF6DA07F97053FF41D4CC8E95B9F943E183987432474E2ECB5DB99192749A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.929{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B98F-62E7-5B05-000000006A02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.927{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.927{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.926{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.926{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.926{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B98F-62E7-5B05-000000006A02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.926{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B98F-62E7-5B05-000000006A02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.926{99CEBDD5-B98F-62E7-5B05-000000006A02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.463{99CEBDD5-B98F-62E7-5A05-000000006A02}64927952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.408{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB2C53A20BAEDD456AE7412762A568E,SHA256=DBD103F94B567B7897BE828EF7A7BC7A45918C12C1BB71AE09D18071C462B078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:27.389{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C824C9DC74AC8416112B3AABF739C38,SHA256=65B022447C207178E42C1E65215E3789C1DF5C9869A591990D22A59178E261FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B98F-62E7-5A05-000000006A02}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B98F-62E7-5A05-000000006A02}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.261{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B98F-62E7-5A05-000000006A02}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:27.262{99CEBDD5-B98F-62E7-5A05-000000006A02}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000063121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:24.248{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51276-false10.0.1.12-8000- 23542300x8000000000000000124919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.825{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=880BD9D2091C78C500F29C68E0923C9D,SHA256=B743333BD8295385238C7B4A9C6938DEA394F3CDE862DE9F71EBCE7F2581C2C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B990-62E7-5C05-000000006A02}10216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B990-62E7-5C05-000000006A02}10216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B990-62E7-5C05-000000006A02}10216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.609{99CEBDD5-B990-62E7-5C05-000000006A02}10216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.546{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213D960DB8EE4B2E517847C4D16CCF20,SHA256=2E992AC8CE86AB2F2ED341691364A9B9B39E4FCB106596D6394315978592A7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:28.592{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEC3EAC9CC6C01CD70ECA03C37F5FE7,SHA256=BFBB2222D02338B08F3BE77E7538686D24D50B9068DA8584F45C46F4CF4229EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:28.362{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8596492DAEFE927C248B031737B2EDE2,SHA256=C1D9947A91D187A1D47065D65CF35F2F5AC8166FDD28B2D84D3FEE045FD5F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:29.576{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5DDE8BAB4F375B0D640D5F3111F0AB,SHA256=A06309B6EEED748B33D6B566A432120CB9924638E46CBE3A0D8E769C935528BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:29.686{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667A280EAB191395719ECAD2DF434497,SHA256=74D1A63D82A817C1872DE4DEAE68E778521181DFA54B76D424DE3390F23855DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.944{99CEBDD5-B992-62E7-5D05-000000006A02}87129320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:29.270{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61664-false10.0.1.12-8000- 10341000x8000000000000000124930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B992-62E7-5D05-000000006A02}8712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B992-62E7-5D05-000000006A02}8712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.760{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B992-62E7-5D05-000000006A02}8712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.762{99CEBDD5-B992-62E7-5D05-000000006A02}8712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.744{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1e801be|UNKNOWN(00000323D28D32E3) 23542300x8000000000000000124921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:30.606{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BD1C5819C5527886093816EFCE81EB,SHA256=3DF4EA10C3A846A79625AA5B6FE5E92C0BE45DF393B0306737DB6D12140F3668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:30.779{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F826AB19846B2845B473C257B1C81332,SHA256=043F3B802EAE2592950AD47DF27D291DD10184E472D7D8871DC11996C915A26B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:29.654{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61665-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:29.654{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61665-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 23542300x8000000000000000124942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.743{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E45A0B8CD24B892E58A3AAF7D68BA2A,SHA256=3947D9CF1CB9B512E2B46802EA6AEFE3B0B5FCEE596F69265333D28AF349A2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:31.873{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DC0CB37F9354CC33E78D2311C3FE92,SHA256=5BF0615448902A6F5C45818759BB0E13566C4EB8D87433B6E6248B22398EE887,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.627{99CEBDD5-B993-62E7-5E05-000000006A02}71324852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B993-62E7-5E05-000000006A02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B993-62E7-5E05-000000006A02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.443{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B993-62E7-5E05-000000006A02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:31.444{99CEBDD5-B993-62E7-5E05-000000006A02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.924{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B994-62E7-6005-000000006A02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.922{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.922{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.922{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.922{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.922{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B994-62E7-6005-000000006A02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.921{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B994-62E7-6005-000000006A02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.921{99CEBDD5-B994-62E7-6005-000000006A02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.873{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FCAA9B4335583DF6185B4AEF4CC21E,SHA256=76842D7083D6408B9F40B3A3B0A641A8D6337055B9F6F762328E68F3C167BBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.404{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.326{99CEBDD5-B994-62E7-5F05-000000006A02}33086004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B994-62E7-5F05-000000006A02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B994-62E7-5F05-000000006A02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.142{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B994-62E7-5F05-000000006A02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.143{99CEBDD5-B994-62E7-5F05-000000006A02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000063127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:29.342{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51277-false10.0.1.12-8000- 23542300x8000000000000000124964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:33.941{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9D21D0F4B4EB659D4A5A97EEA73A89,SHA256=61772ED910EC720914C0FCFE9A338AE9B9B663E386FE83756F71DA7696A01F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:33.186{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DFFA9D6E02A597334D85981010FC45,SHA256=D7DE4EB5E0C45FC03EB9E205A07F3529BF6A4F4A9E70391A25A7A093C66E1CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:34.987{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B10634FB9BAEED23421E3EE50102DF,SHA256=78E868D660F6221E9197D9AB6D8FB4791ECE433D0423F617692F7DA09DB4E875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:34.279{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08D796BFCC5C43525A2921AF2DF9561,SHA256=7AE9B17AAA347E0B5DB2F7095F91E5AE065369E500F8B813C8F66CB37998EE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:35.373{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE43FCACCA6E5AD8D18AFBFCAD8CC78,SHA256=A445005027CDBCAD3601B4E02CE2AC75C1846C9B30DCF4651BE5363FC598A435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.706{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-130MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.477{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14malware.com51713-false172.217.0.164ord38s42-in-f4.1e100.net443https 354300x8000000000000000124966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:32.476{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local51714- 23542300x800000000000000063132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:36.576{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8649944F95DC688E626B4049756636,SHA256=E98AA960797B106C37B8FBF37A221664DC67D7A02EF122E73A7BED7835334696,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:34.358{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51278-false10.0.1.12-8000- 10341000x8000000000000000124986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A7B-62E7-AE00-000000006A02}52285452C:\Windows\system32\conhost.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.971{99CEBDD5-9A7B-62E7-AD00-000000006A02}50965064C:\Windows\system32\cmd.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.972{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0.0.0.0 --dcrat.exedcrat.exeC:\Temp\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=D2904558BDD7D6341E85967FB4C8FD72,SHA256=67003B9CC43D7D2DF0A7AF89A2ED756100B0758072664ECCEBD11EA7341EC25A,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x8000000000000000124978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:35.302{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61666-false10.0.1.12-8000- 23542300x8000000000000000124977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.703{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-131MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.087{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AF3D9B25DC28DC89EFCB2742F4FECE,SHA256=218FE9ABF71C3050262C108DAAF57DECF7136DE7576B4DC1B02E6F1AB5D8A4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:37.670{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7396F6A275C0D8FFA3254F8BD305D128,SHA256=12A9FC7E7145F1DD19839F414B94101E7A21BDCC8F961D1E0C9A666DD8AB375F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.861{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C1F09898C418F4FDEAC5E206583708,SHA256=0E76C5F3799EA16E86E2F4C66AB1CA7C06F39461D5CD38150270E2D646459E87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.830{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.830{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.830{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.830{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.830{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.829{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.829{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.777{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.777{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.730{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-1500-000000006A02}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36f61|C:\Windows\SYSTEM32\iertutil.dll+36b10|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.707{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.691{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+36aa1|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.699{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/ 10341000x8000000000000000125037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.691{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-1500-000000006A02}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+1ea29|C:\Windows\SYSTEM32\IEFRAME.dll+1e9a7|C:\Windows\SYSTEM32\IEFRAME.dll+1e921|C:\Windows\SYSTEM32\IEFRAME.dll+1e732|C:\Windows\SYSTEM32\IEFRAME.dll+2a7cb0|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.683{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{99CEBDD5-9A0C-62E7-0C00-000000006A02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000125026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.676{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.660{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.660{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.644{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+1ea29|C:\Windows\SYSTEM32\IEFRAME.dll+1e9a7|C:\Windows\SYSTEM32\IEFRAME.dll+1e921|C:\Windows\SYSTEM32\IEFRAME.dll+1e732|C:\Windows\SYSTEM32\IEFRAME.dll+2a7cb0|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.629{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.625{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.624{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.620{99CEBDD5-9A3F-62E7-7D00-000000006A02}3228884C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.620{99CEBDD5-B998-62E7-6105-000000006A02}59648244C:\Temp\dcrat.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x8000000000000000125008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.620{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.comC:\Temp\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exedcrat.exe 10341000x8000000000000000125007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.616{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.615{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.615{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.615{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.613{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.613{99CEBDD5-B998-62E7-6105-000000006A02}59646688C:\Temp\dcrat.exe{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x8000000000000000125001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.613{99CEBDD5-B999-62E7-6305-000000006A02}1048C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXE"C:\Windows\explorer.exe" http://malware-dcrat-testing.comC:\Temp\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exedcrat.exe 10341000x8000000000000000125000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.578{99CEBDD5-9A3F-62E7-7D00-000000006A02}32289904C:\Windows\system32\csrss.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.574{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.574{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.574{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.573{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.573{99CEBDD5-B998-62E7-6105-000000006A02}59649776C:\Temp\dcrat.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+1665aa|C:\Windows\System32\windows.storage.dll+166302|C:\Windows\System32\shell32.dll+4c89d|C:\Windows\System32\shell32.dll+4b436|C:\Windows\System32\shell32.dll+6cf99|C:\Windows\System32\shell32.dll+e085e|C:\Windows\System32\shell32.dll+4a413|C:\Windows\System32\shell32.dll+4a2db|C:\Windows\System32\shell32.dll+49bf7|C:\Windows\System32\shell32.dll+b2e8e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4 154100x8000000000000000124994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.572{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/C:\Temp\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exedcrat.exe 10341000x8000000000000000124993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.548{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.548{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.318{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.302{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.302{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.223{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2C20B6E4C5323282A59055342F6E84,SHA256=525186C3C45C16DF5E8F98701D8E3EB44BA07B3BA3AEE2C60E688912AE51C86F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:36.987{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B998-62E7-6105-000000006A02}5964C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000063134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:38.764{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564F6FAA7FC8D8FA41DDA51D0F0DEA84,SHA256=9709CA09C5E5ACBD2B2BB0E92240DDC7703678D820E0F4E4957C1EA79566E9CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.986{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.986{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.986{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8A9B9814806F338B48816BB69947AB,SHA256=069EB9466CBD9BAA192E7745679B6F5149BEA02D6D69B44C87444D445A1367F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.970{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.970{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.917{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.917{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000125149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.784{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54437- 354300x8000000000000000125148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.761{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local54437- 10341000x8000000000000000125147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.886{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.886{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.849{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.849{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.833{99CEBDD5-B99A-62E7-6805-000000006A02}48447764C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bae28(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baddf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad86(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a864e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1f2e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1e7b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10bf00(wow64)|C:\Windows\SYSTEM32\urlmon.dll+73eca(wow64)|C:\Windows\SYSTEM32\urlmon.dll+74668(wow64)|C:\Windows\SYSTEM32\urlmon.dll+7476c(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+52e4f9(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+3dca90(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+43c8f7(wow64) 10341000x8000000000000000125142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.833{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.833{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.833{99CEBDD5-B999-62E7-6605-000000006A02}99562308C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bae28(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baddf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad86(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a864e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1f2e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1e7b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10bf00(wow64)|C:\Windows\SYSTEM32\urlmon.dll+73eca(wow64)|C:\Windows\SYSTEM32\urlmon.dll+74668(wow64)|C:\Windows\SYSTEM32\urlmon.dll+7476c(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+52e4f9(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+3dca90(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+43c8f7(wow64) 23542300x8000000000000000125139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EOEFHE2X\NewErrorPageTemplate[1]MD5=CDF81E591D9CBFB47A7F97A2BCDB70B9,SHA256=204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-B99A-62E7-6805-000000006A02}4844ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EOEFHE2X\NewErrorPageTemplate[2]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-1500-000000006A02}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.770{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.769{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.769{99CEBDD5-B999-62E7-6605-000000006A02}9956ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EOEFHE2X\NewErrorPageTemplate[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.749{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+eb637|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5992AB5)|UNKNOWN(FFFFF511E59958F8)|UNKNOWN(FFFFF511E5999CE9)|UNKNOWN(FFFFF511E599A813)|UNKNOWN(FFFFF511E598C790)|UNKNOWN(FFFFF511E598AC4B)|UNKNOWN(FFFFF511E59B103A)|UNKNOWN(FFFFF511E598B843)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+1524 10341000x8000000000000000125127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36f61|C:\Windows\SYSTEM32\iertutil.dll+36b10|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+36aa1|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.737{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:372 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com 10341000x8000000000000000125119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.733{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.718{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-1500-000000006A02}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.718{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.718{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+ed011|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8 10341000x8000000000000000125111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+ecf8d|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8 10341000x8000000000000000125110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+ecf71|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000125109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+ecf71|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd 10341000x8000000000000000125108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+a6f1a|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000125107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a6f08|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000125106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a6f08|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 23542300x8000000000000000125105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B999-62E7-6605-000000006A02}9956ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\dnserror[2]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.702{99CEBDD5-B99A-62E7-6805-000000006A02}4844ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\dnserror[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51003976C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51003976C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51003976C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85 10341000x8000000000000000125099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994 10341000x8000000000000000125098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.633{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85 10341000x8000000000000000125097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.533{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.502{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.502{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.502{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.502{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.471{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.471{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.471{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.371{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.371{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.371{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.371{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.368{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CA0BF1D4FB9A43FAC1F38150BFC94D,SHA256=77A2A7C6EC8915E947A8167848B90BB88BF0B6C2EA4ED033B23B56F18E2E1A17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.334{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.334{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-B999-62E7-6205-000000006A02}51003976C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36f61|C:\Windows\SYSTEM32\iertutil.dll+36b10|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-B999-62E7-6205-000000006A02}51003976C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+36aa1|C:\Windows\SYSTEM32\iertutil.dll+34d3c|C:\Windows\SYSTEM32\iertutil.dll+350ef|C:\Windows\SYSTEM32\iertutil.dll+48208|C:\Windows\SYSTEM32\IEFRAME.dll+2bac42|C:\Windows\SYSTEM32\IEFRAME.dll+9b749|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.314{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:214017 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/ 10341000x8000000000000000125074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-B99A-62E7-6705-000000006A02}24607080C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+1ea29|C:\Windows\SYSTEM32\IEFRAME.dll+1e9a7|C:\Windows\SYSTEM32\IEFRAME.dll+1e921|C:\Windows\SYSTEM32\IEFRAME.dll+1e732|C:\Windows\SYSTEM32\IEFRAME.dll+2a7cb0|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.302{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.263{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.263{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.200{99CEBDD5-9A0C-62E7-1300-000000006A02}8729112C:\Windows\System32\svchost.exe{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+3556e|C:\Windows\System32\RPCRT4.dll+20ee7|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.199{99CEBDD5-9A0C-62E7-1300-000000006A02}8729112C:\Windows\System32\svchost.exe{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+3556e|C:\Windows\System32\RPCRT4.dll+20ee7|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.195{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.195{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.195{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.195{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.195{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.194{99CEBDD5-B999-62E7-6505-000000006A02}33448068C:\Windows\explorer.exe{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+1665aa|C:\Windows\System32\windows.storage.dll+166302|C:\Windows\System32\SHELL32.dll+4c89d|C:\Windows\System32\SHELL32.dll+4b436|C:\Windows\System32\SHELL32.dll+6cf99|C:\Windows\System32\SHELL32.dll+e085e|C:\Windows\System32\SHELL32.dll+4a413|C:\Windows\System32\SHELL32.dll+4a2db|C:\Windows\System32\SHELL32.dll+49bf7|C:\Windows\System32\SHELL32.dll+b2e8e|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000125061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.194{99CEBDD5-B99A-62E7-6705-000000006A02}2460C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/C:\Windows\system32\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{99CEBDD5-B999-62E7-6505-000000006A02}3344C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding 23542300x8000000000000000125060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.077{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBB5A4D6862C35F99F93EF42C924F605,SHA256=13FCDA371DC5DA5208BF0505800DC84CC055C10FDF14E4188279865AB26C155C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:39.967{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F843A852C7B04008B390D8F60918516E,SHA256=C45F29C547DD80895E421B52A87EA314EBE57B5E6ED2D39DF8248EF9DB371590,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000125192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:37.798{99CEBDD5-B999-62E7-6205-000000006A02}5100malware-dcrat-testing.com9003-C:\Program Files\Internet Explorer\iexplore.exe 23542300x8000000000000000125191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.401{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DEF6A2824D33C3C5C7A4506B54840E,SHA256=B741A6B037534CA4C4CB135B3C703F69806BB55DF8B61509122ACDEA475FBD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:39.389{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=88E2A85B6E2A3ACBD5EDC90E30EAC63D,SHA256=C3876608F02A7B3514332AEBABFC56AFC3B20A5D7D9BDA74F8600FA40C404C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.232{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.232{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.232{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.232{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.232{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+eb637|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5992AB5)|UNKNOWN(FFFFF511E59958F8)|UNKNOWN(FFFFF511E5999CE9)|UNKNOWN(FFFFF511E599A813)|UNKNOWN(FFFFF511E598C790)|UNKNOWN(FFFFF511E598AC4B)|UNKNOWN(FFFFF511E59B103A)|UNKNOWN(FFFFF511E598B843)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+1524 10341000x8000000000000000125181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+ed011|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8 10341000x8000000000000000125179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+ecf8d|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8 10341000x8000000000000000125178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+ecf71|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000125177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+ecf71|C:\Windows\System32\SHELL32.dll+ebb63|C:\Windows\System32\SHELL32.dll+eba94|C:\Windows\System32\SHELL32.dll+eb532|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd 10341000x8000000000000000125176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+a6f1a|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000125175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a6f08|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000125174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a6f08|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\System32\SHELL32.dll+ebbfb|C:\Windows\System32\SHELL32.dll+eb6dd|C:\Windows\System32\SHELL32.dll+eb4fb|C:\Windows\SYSTEM32\IEFRAME.dll+11e5e8|C:\Windows\SYSTEM32\IEFRAME.dll+c2642|C:\Windows\SYSTEM32\IEFRAME.dll+c4dae|C:\Windows\SYSTEM32\IEFRAME.dll+ca544|C:\Windows\SYSTEM32\IEFRAME.dll+b521e|C:\Windows\SYSTEM32\IEFRAME.dll+c77d1|C:\Windows\SYSTEM32\IEFRAME.dll+bbb89|C:\Windows\SYSTEM32\IEFRAME.dll+bc6c9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000125173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.170{99CEBDD5-B99A-62E7-6905-000000006A02}94967548C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bae28(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baddf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad86(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a864e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1f2e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1d1e7b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10bf00(wow64)|C:\Windows\SYSTEM32\urlmon.dll+73eca(wow64)|C:\Windows\SYSTEM32\urlmon.dll+74668(wow64)|C:\Windows\SYSTEM32\urlmon.dll+7476c(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+52e4f9(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+3dca90(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+43c8f7(wow64) 23542300x8000000000000000125172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.168{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EOEFHE2X\NewErrorPageTemplate[2]MD5=CDF81E591D9CBFB47A7F97A2BCDB70B9,SHA256=204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.166{99CEBDD5-B99A-62E7-6905-000000006A02}9496ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\NewErrorPageTemplate[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.148{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\dnserror[2]MD5=73C70B34B5F8F158D38A94B9D7766515,SHA256=3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.148{99CEBDD5-B99A-62E7-6905-000000006A02}9496ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\V8Z2C35N\dnserror[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.117{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85 10341000x8000000000000000125167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.117{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994 10341000x8000000000000000125166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.117{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+c5d42|C:\Windows\SYSTEM32\IEFRAME.dll+baeda|C:\Windows\SYSTEM32\IEFRAME.dll+bc3d9|C:\Windows\SYSTEM32\IEFRAME.dll+bdc32|C:\Windows\SYSTEM32\IEFRAME.dll+4aa08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32cbd|C:\Windows\SYSTEM32\IEFRAME.dll+c45ab|C:\Windows\SYSTEM32\IEFRAME.dll+9b96b|C:\Windows\SYSTEM32\IEFRAME.dll+198b8|C:\Windows\SYSTEM32\IEFRAME.dll+197c0|C:\Windows\SYSTEM32\IEFRAME.dll+e3aad|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85 10341000x8000000000000000125165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.070{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.068{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.066{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.065{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.048{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.048{99CEBDD5-9A41-62E7-8C00-000000006A02}49403656C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.048{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.048{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.033{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D30B2A2AE00CCD9F3E749C77479400,SHA256=CEF4E3C843D7FF1FB23982EF962F21045BEEFAE43146215C30775B7AA48C6CF1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000125207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:39.206{99CEBDD5-B99A-62E7-6905-000000006A02}9496malware-dcrat-testing.com9003-C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x8000000000000000125206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.805{99CEBDD5-B999-62E7-6405-000000006A02}372malware-dcrat-testing.com9003-C:\Program Files\Internet Explorer\iexplore.exe 22542200x8000000000000000125205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.751{99CEBDD5-B999-62E7-6605-000000006A02}9956malware-dcrat-testing.com9003-C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x8000000000000000125204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:38.751{99CEBDD5-B99A-62E7-6805-000000006A02}4844malware-dcrat-testing.com9003-C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x8000000000000000125203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.716{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.716{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.684{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.684{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.669{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.616{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.600{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.600{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.584{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.584{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6905-000000006A02}9496C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:40.500{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F37BE4A4FD63EFAF44A25CD663126D,SHA256=1331BD90930D525C138886A9ED8BE4464EB8896929727219DEF201294FFCFCE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.900{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\dnserror[1]MD5=73C70B34B5F8F158D38A94B9D7766515,SHA256=3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.900{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\V8Z2C35N\dnserror[1]MD5=73C70B34B5F8F158D38A94B9D7766515,SHA256=3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.900{99CEBDD5-9A41-62E7-8700-000000006A02}4616ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\FA1UL71F\NewErrorPageTemplate[1]MD5=CDF81E591D9CBFB47A7F97A2BCDB70B9,SHA256=204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.900{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.900{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.884{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.868{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.868{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.868{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.868{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.767{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.767{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.767{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.767{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.766{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589fe|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.761{99CEBDD5-B99D-62E7-6C05-000000006A02}9248C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com 10341000x8000000000000000125232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283536C:\Windows\system32\csrss.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589e2|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.759{99CEBDD5-B99D-62E7-6B05-000000006A02}7108C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com 10341000x8000000000000000125225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}3728564C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589c2|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.752{99CEBDD5-B99D-62E7-6A05-000000006A02}7788C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8388616 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6405-000000006A02}372C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com 23542300x8000000000000000125218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{80C1E742-118D-11ED-ABA2-022CE018FEC0}.datMD5=9A63E3ED9116EBD62B98BD09B6DC9819,SHA256=6FB2A5B6213351BD8029766FA636A2A000292D9B356AD0E22ACD97A8EBFE5ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF3868919888837F89.TMPMD5=5DCB3AD2AEE0E70B92E53EAF804839A0,SHA256=20311932AA731BE155498938525D8A2880538863A703E2E72FEC7BE702D4A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.749{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{80C1E744-118D-11ED-ABA2-022CE018FEC0}.datMD5=B1E2E86C6456F219B849540F06ED60C5,SHA256=96485175840BFCD0A386D0130830BFCD702B7F0ACB09E8E650E93EAC1E2D63A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.718{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF47EBC3DF30CDB77C.TMPMD5=1EF49E0813A513BCDA7A43D5A89C3A08,SHA256=F10A933178E77F49341C4D0D07799386F74E2D4D1466AB287A17D56EF48446B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.687{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFA543ED19F044267D.TMPMD5=8378A5603EF3C8DF750200A5C0995807,SHA256=8B0A8D9F153681DF7BC04BE6C4729E031ADDF8EE897FA9A0B4E7463D795F9122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.687{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFFB92CC8C08A458E1.TMPMD5=9F6306E47D77F0CFD65A91C9F8D24EB6,SHA256=D01173102507A85385375D1AB5ED757AA24C19A6C6ACA52345901DDC652B5109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.687{99CEBDD5-B999-62E7-6405-000000006A02}372ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{CFD70879-1187-11ED-ABA2-022CE018FEC0}.datMD5=C7938DE30EFCBFEB94D4A5230B3646C9,SHA256=FEDB976F5FE070D6296C6B8E7217533EBAF0FBF1E4E24492E03E3E066434EE87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.671{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.631{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA786605FBBE469527F57D1409E75D93,SHA256=D7444E96ABD2484DF68494E2E51205BBEB3D666211081B7A805D44772FF6E6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:41.061{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1943026BBAD56839E8DA5C608B7A42AD,SHA256=F096A488C768D8620E8DEBF47F00B91DB4C8FAEE1E81EF222F50DCFF2CEFE482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:42.798{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA25A0383F0B19F586C3A19270971FD1,SHA256=77FF39A9BDE63C4C5E951167953C0019B3A0FE409B8DEFB5DC3022C88698A8AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:40.201{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51279-false10.0.1.12-8000- 23542300x800000000000000063138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:42.264{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4012032E308CDA7DC08D16BE0BCE17AB,SHA256=4B8B3FCC74A02A4A2FE42D6D099FFE6636AA3C6C7ADBC54F54AC09FEDCFB6131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:42.514{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:42.514{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.929{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274389D9E43E0BCEDA9C5D47D2F62114,SHA256=F1FC5B3B49AFCA609C331F65B74A20C257967DAACE8C733613CA6976DC274204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:43.358{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F827CA355C611090A3D3126BB9CDC6,SHA256=90FCD8D1A198F4DEA5BCDD9494055AB5194D1FEE5675F838C7637D1BB49F501F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.282{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.282{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.267{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.267{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.266{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.266{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.263{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.262{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.145{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.145{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:43.145{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000125258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:41.193{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61667-false10.0.1.12-8000- 23542300x800000000000000063141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:44.561{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7E22275F9F4EF2FE7E6322CD9896DC,SHA256=DA27225671648B215C6297B0F0DF9C66BB672432D940FD6611CBC3203A94176C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.444{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFEC680924CE6A6976.TMPMD5=9D3E647940B5FDF5352C857AA19312DB,SHA256=EAE61BB0D981006C36FC417AF4152CE9FF59C7461A5D34BC9EC3C7F013ABBC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.398{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFC6A360EAE1140D67.TMPMD5=692342CACC74BD57667183F7CC8290B8,SHA256=3113680F88FDB097BBBAEB919992560DD279EC8F0EC8BF59702EC3CEA71099F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.398{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFC6D4DFF8D8D040B2.TMPMD5=6EBED3CC2E1014F5119FD63A12906033,SHA256=2CD022459DD707285A109C5F5C7654A26BB2B9EB58FDC628EFE353797250445E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.398{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{80C1E745-118D-11ED-ABA2-022CE018FEC0}.datMD5=94DF281675562C5D889EBA99950AAA99,SHA256=5924CC5DEEF05FBA5AE3DB11CD0511DE87BC360976541952681693395841E114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.398{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.382{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.382{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.298{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.298{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.298{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B99A-62E7-6805-000000006A02}4844C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.282{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:44.282{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000063142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:45.654{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF22E34E24242A6491F258782BB0B3F,SHA256=B77A0BE05FE4185672E3E9B9779ED3500563B3196ABD1D8B407FAFD7658D9313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:45.081{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082122E9F50F1F0E01B1860F6A6513CA,SHA256=D5B2CEB06583251D1052EC6BABE381844386F29F759C3ED559F0C76C92666353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:46.748{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1FE85601712471660B31F6365B1107,SHA256=97F7B7BDD263A012F7B1E263D708AC2090BDEF8AFDFC2058A6E2A3DF89E4418E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.511{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.511{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.511{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.511{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.496{99CEBDD5-9A0C-62E7-1200-000000006A02}3841612C:\Windows\system32\svchost.exe{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.480{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.480{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.480{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.464{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.464{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-B999-62E7-6605-000000006A02}9956C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.112{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7430EA2F5506546A5EA67275D064A52,SHA256=C93E195293B06757D13313C9878FF19296B519BD3E20D8913A42CA03A7B865CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:47.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F736C199D0F5EDDC8AFC80079CD4961,SHA256=A63D4439EDBC3AA274A5E1FADB54927D08E6B6A5E4EF07928DB3E49A7E75DC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.808{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.808{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.808{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.808{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.781{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.780{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.772{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.772{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.771{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.771{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.763{99CEBDD5-9A0C-62E7-0F00-000000006A02}1042952C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.763{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A3F-62E7-7D00-000000006A02}3228884C:\Windows\system32\csrss.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589fe|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.377{99CEBDD5-B9A3-62E7-6F05-000000006A02}7992C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/ 10341000x8000000000000000125324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589e2|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.375{99CEBDD5-B9A3-62E7-6E05-000000006A02}10140C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/ 10341000x8000000000000000125317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-9A3F-62E7-7D00-000000006A02}32289904C:\Windows\system32\csrss.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}51008800C:\Program Files\Internet Explorer\iexplore.exe{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+270ac|C:\Windows\SYSTEM32\iertutil.dll+281a3|C:\Windows\SYSTEM32\iertutil.dll+27f12|C:\Windows\SYSTEM32\IEFRAME.dll+458c47|C:\Windows\SYSTEM32\IEFRAME.dll+4589c2|C:\Windows\SYSTEM32\IEFRAME.dll+1b2192|C:\Windows\SYSTEM32\IEFRAME.dll+e3b9c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7f86|C:\Windows\SYSTEM32\IEFRAME.dll+152994|C:\Windows\SYSTEM32\IEFRAME.dll+1dd85|C:\Windows\SYSTEM32\IEFRAME.dll+152a1f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.373{99CEBDD5-B9A3-62E7-6D05-000000006A02}8364C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8388616 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{99CEBDD5-B999-62E7-6205-000000006A02}5100C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://malware-dcrat-testing.com/ 23542300x8000000000000000125310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{80B99DF9-118D-11ED-ABA2-022CE018FEC0}.datMD5=D442A1BB9258787EF5817057A27C561A,SHA256=13FBD2C6C6A1B869832C19AE4AD96A426883B7854A61DA61E92D790A453F2012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF0EA663855DC90877.TMPMD5=34C93A817A652334F5D73A84D1178B8A,SHA256=4BD980625F612BA8348432874FADF145702BA4B43821A4BE91F131199BDF1A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{80B99DFD-118D-11ED-ABA2-022CE018FEC0}.datMD5=11678B0A30659B0E57C04375BE163EF4,SHA256=1EC1D7ECCE76678D60170EA62BD9CE6EB83C26B848A2325FB8DFFD00CB9C4185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.365{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{80B99DFB-118D-11ED-ABA2-022CE018FEC0}.datMD5=AEFBFF5BADE0C611DDFBD0B129FDEA8A,SHA256=2DF5ED81F31561E4F9465C7F482698624807B732A8066E19C0E07115EE48E504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.281{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFE28BBAD73757A613.TMPMD5=DD9154E76D4C0D5B9261B59EE771D57E,SHA256=A6D1C25B25ACFAB06261C97C8AD2D93D13FBDF4E4AA5051E52589A59C9DF2718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.228{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238E1155935DAB40A6D6F3405B70219D,SHA256=2C4E401843EF94164AECA093AB81F6DD90192A63506E5D9CA533A556980ED978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.181{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFBFADB9B0D3C717BA.TMPMD5=4FE3BA1011A1F13FE8768F43CD3558D2,SHA256=CA4BAB2F073D98DF2500C600616EC00536C3EE44AD86EDD2426616ACB605CB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.181{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF391128225CAE267C.TMPMD5=552C93E5BB1203C989A46EDAD0387B05,SHA256=19DC4CD3C7DD3A912ACE57631B34951B6ED82D16EF6B795BBDD3A8C3D81DD2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.165{99CEBDD5-B999-62E7-6205-000000006A02}5100ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{80B99DFE-118D-11ED-ABA2-022CE018FEC0}.datMD5=2328364AE52BC8AACD80D638BD252122,SHA256=B1E1CA3AB04544127EFF5E6607058253761014A78D9BBD4728BBEC78006D2F3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.165{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.165{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.165{99CEBDD5-9A41-62E7-8C00-000000006A02}49408588C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AD00-000000006A02}5096C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.163{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.163{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.163{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:47.163{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A7B-62E7-AE00-000000006A02}5228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000063146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:48.936{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE720113D2FB593BD101970D3A870AF,SHA256=C38156CE6EF131BF59E8146DDD8626EF8E32B9258EC0BE5921FF11C846CE7FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:48.465{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B82AA3D569545B372F6EBBCF005FFED,SHA256=299CF39B8A0D32DB5D243FBFA22D53B3324DCB7C4AB2C8B79B3CB6A77B2C2264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:48.465{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86ECA883D7677C07A2E5157544DAB851,SHA256=B44CA26E5BF6FD94AF049759236A461780FCCC3AE78FDD13B99FE1F602A114CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:46.205{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61668-false10.0.1.12-8000- 354300x800000000000000063145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:45.217{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51280-false10.0.1.12-8000- 23542300x8000000000000000125347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:49.380{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA823224BBD7B4FD91F6B35676C3408,SHA256=BDF524B2EDA458E01CCCBD00BF2294D87B51C142E894D1AF0C9D157B6F6578D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:50.427{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB634313ABFD80C67E11ED7D1E582605,SHA256=F190441CB15B3E4E58E97076C40308A821BB674685FD456DD8E78774AF951B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:50.248{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175FAAC702342104E66EE4CBAA7A7F1B,SHA256=D5AA8C4EDB1FA62952306233FF7BEE5FEB76A23EDE87B39D559C72884AC7216A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:51.462{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C17221D0C7F8CF80BD973F878F1967,SHA256=A20F3D39FDE292D26A3AA359C87DCA21C0E633898B57F0B9A42AA36817AEA3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:51.342{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBD7484C5D47431D91E7B94EAB22593,SHA256=1576C10884EF21C558D6E22555959B06F29F05BB22D122A61035BD045525F3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:52.645{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=73E9D40C41ACE944911D9840DE12D70B,SHA256=1E1C3B0E246A12CD7F74C1E53384E14C4AE63650CAE2244309F1CAFB9C39C0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:52.508{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F19C707A151E49FD320409E38D43C6,SHA256=901142A2F2C380B94CFFD6A0BC604C306336F0D6C5D06A5B64AB32A01EDCE963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:50.310{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51281-false10.0.1.12-8000- 23542300x800000000000000063149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:52.545{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54E138E9106E501E10ED64FA8A93E2D,SHA256=EA89B91B17ABB8C1BB8F680A425024B5D9FBFAFF8C750871C2FBC36B10693E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:53.639{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1072DC777A2F7242A25EF81BC595226A,SHA256=23D4123BC997E94D9FAFE97381DA4E7051BBB018A8DE936B0D4C299566FB3E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:53.624{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE30E8E1AC8BAF51136A8C366292AD8,SHA256=162C8C0230C7676B0130A2573BEBD651671D7F8CB306BB6255846A27783742BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:54.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF8B9DA3BC2CAA08C4E78FC0D02003F,SHA256=64EE69AEC67D2C6E990BE3D9346A558EE4E621EAC0108FA72AAC08972AACE153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:54.675{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF8ABED2BA94C0AB2ADCB3C6C5BC80D,SHA256=27CBFD2A008F8920E012AF6089413ED660ED4D66B70724C24EA8576821A0332A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:52.207{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61669-false10.0.1.12-8000- 23542300x800000000000000063155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:55.936{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CEE0A3B8FAEDE0BB5684C03A026003,SHA256=AB639FC53988A72F9928A400A47CBEEC47D100FECD1EABF90B4253EF6EE32144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:55.722{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFD5089E37765EF764E65EB3D37779,SHA256=2D6FA982CB625AA2E3DCDB8C85D11BB79586F9D2248E896D70F22F5E24CC5202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:55.779{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BF2D35819FF39E9EC0D537F44231879B,SHA256=79337978C21964B698D9A9A24FFC652BDB0EEC8B2EF4795AA7AD63797E4F12A7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000063153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:31:55.686{6DD70E3E-9A06-62E7-1400-000000006B02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a59a-0x4dd63cba) 23542300x8000000000000000125356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:56.772{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6A5CEBAF767288084EC73F65876B08,SHA256=471E1E345A72DB0E9071CEEB347FCA17589CD9073076AFCA3EE8A257C3BB6661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:56.014{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:57.888{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFE3216D03366DFE531B80CF268B888,SHA256=843E9875780402ADADAA648E44455AE81C9AEA01CD52A743D0352F4D8154DA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:57.139{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5897F55A0F615A3528D5E122754E46D,SHA256=5A6E4A1E9D31C90BA8E6B5F8BC3D297B12DABFF0868B0408BB7EB6663AEF047E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:54.826{6DD70E3E-9A06-62E7-1400-000000006B02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000125357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:57.655{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=E6A72E954DDAC68649AC1E6D6B156F28,SHA256=58C199D5B776583A6EDE2BA2A98C3CCEAC69C24B5FD9B19E9526CA914561F6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:58.229{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454415759E3BA9760A0129A59B8F5CAC,SHA256=194EA25B0F662D4A83B832BF0BD4DA78B7953557D510AC1F25336016551AFB39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:55.154{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51282-false10.0.1.12-8089- 23542300x800000000000000063163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:59.214{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78BBFDCC9727B360AFE037679B2342B,SHA256=2B5BCBEDBCC3D3569DFB9B9695B2E5E895951E84D6ECA4D65E20E8B0AAA27706,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:56.774{6DD70E3E-9A08-62E7-3A00-000000006B02}2292C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51284-false169.254.169.254-80http 354300x800000000000000063161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:31:56.232{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51283-false10.0.1.12-8000- 354300x8000000000000000125361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:58.181{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61670-false10.0.1.12-8000- 23542300x8000000000000000125360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:59.056{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AC2C46534F523DFBAA0B0D7092967C66,SHA256=42A0A899340ED535CC93852390A6A56F67041461F267B93C40795502D47F89D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:31:59.021{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A2AC42244795B0635B0135BA7F875B,SHA256=9FF7A1841723E2B7FD81C3031A35CC9142FDC550B9156B109599C38DF3822D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:00.307{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA06444004A7693C2FDF326C2E439F6,SHA256=9627877C287FD8D88353636282EE2411D8D83A21DF3448327E5EB034A490EB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:00.155{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AF9C24438C3409B70D9AC4CD473A0E,SHA256=91E50BC5CBA38E7BC962A75034B81779A6BD2F82B2EFCCFE590ED74DB23BB603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:01.511{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0946DD638C652BE0600C9612BF87BA22,SHA256=1A279CCD1DB7594311A10B87FA143AA468F9B246ADE71C6D2EDFE90F78761EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:01.469{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BE51E919F85FE49880E304428324F39,SHA256=00CD9B5F579FCC63B9F91C6A3872F409F55CF3C233F31C47B463B0EC44860DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:01.201{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C010E4DEDC91E313FEC43073A465E82,SHA256=2C6070D64E15D6659F9A5DCEBB7B52BE5FB69A97BE9FB5981243EA8C0AFFB8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:02.604{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FDF64784945C5EA51E99B87973916D,SHA256=D4FDF079D89B1B1A3E98BDDEC171387EA17A41B5746BE46B2847FDCA6353E2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:02.237{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503993982A0D8C6317BA7CBC6BF92814,SHA256=E860FC4018001AB3E06A2B080CA42AAFF13ED3995D7CE80DA177AA758B605D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:03.808{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DB92C7DAC52070931E3ECEB9D40A11,SHA256=4E9508BF887A913256CA3EA8765FE8BCB721D0D71D9D8B002AA65BA945767916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:03.267{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AAD7B724D8FA54FB966286371C3A16,SHA256=1A9F46075BCB1E2817FCB8831E118C52279E5D905B87E5DF16E78D4B4F825E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:04.397{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B64B1735DE92682BB6AF2C85B951F05,SHA256=DD3AABF56777ADB60BFE32AB5F4E3A2679BDD9166E08AC40707B037F15107484,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:02.245{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51285-false10.0.1.12-8000- 23542300x8000000000000000125368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:05.434{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F75803961664AAEB223B4BB96C814D7,SHA256=35B193538F8D38F03272E0C95E5D1DCE1523DB9349710905799258C159CBCE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:05.011{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D47133A1AE35C52868317446E5005D1,SHA256=753923DFB7ECC673834EABD22261916383B34F3196D651337E91B2E196878018,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:04.159{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61671-false10.0.1.12-8000- 23542300x8000000000000000125369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:06.451{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2EEB63DD7B70DC6D77A272D6378F2E,SHA256=029F0721F3B33F2765706B3C555358B1C034C1B8F97F5CCF0F56F279280CBD3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.901{6DD70E3E-B9B6-62E7-4D04-000000006B02}7124068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9B6-62E7-4D04-000000006B02}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B9B6-62E7-4D04-000000006B02}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.745{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9B6-62E7-4D04-000000006B02}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.746{6DD70E3E-B9B6-62E7-4D04-000000006B02}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:06.214{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E4A979897D3E8E36B2FED5462BC944,SHA256=7E0B8EA235EEC87560DC3FEF44A098BAA2899F791956400C142A006348D38690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:07.596{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B36ECFEF27560AC3333BF9E407F6829,SHA256=112A78909304C66C786BA32F0758C0FF529550188FBE56602F3172A3DD69347D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.839{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E6B77B5C91849F518F63F074318EB9,SHA256=B9504CD69CCC9E382156A4879D425FE82E8FC8B8E4250C0AC3C192208933581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.433{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3643D13F94F919650827218A166562,SHA256=B6BFCD26952073BA79784568D7115771209829D9B9F723EAB129759FA99BD8BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9B7-62E7-4E04-000000006B02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B9B7-62E7-4E04-000000006B02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.417{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9B7-62E7-4E04-000000006B02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.418{6DD70E3E-B9B7-62E7-4E04-000000006B02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:08.614{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138541EDB8E73D99D6BE9062E136C13E,SHA256=A351C413DDF32449C611B765D0EBBC6295844AA20719D1C93FB76C498DE6A29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.683{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D52FE9AD2FFF5BF9EC39EAF01E73D00,SHA256=90E963AA36EA0F4A2BBC7E36B2E76CE633F4854776CBECAE61B6BFD5DE12EB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.558{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FD3BBB74D8B83DE92BD8668F40EDC88,SHA256=A834F1D5E4EAFD51714CD21A77453FE8786E0B871C7CA3D1FCA19ED4EAFC8B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9B8-62E7-4F04-000000006B02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B9B8-62E7-4F04-000000006B02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9B8-62E7-4F04-000000006B02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:08.058{6DD70E3E-B9B8-62E7-4F04-000000006B02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:09.732{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C3900733241E307DB90688D09BED95,SHA256=36DBA1E7DB2644CB5D36F67B889826A9352641A0664E4FEE6C5D3FBB925DC638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:09.620{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4639972EF7227AD743C9C38E64F7F304,SHA256=3622E6502D494CD787423F4D29CD3AD6EC876BEA316A1411EEAB6EE7E6B48878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:10.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDF485422B9DC0A71491E0DD3435145,SHA256=80AB73608AABCECF4598ECD33FF466892D6A2983893205EDA3DA130E08F13CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.714{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B96764D5EE6B71B5DAC7F65171A8EE,SHA256=54CD7E62FD6D7BC37C7B6967887E65B38670645CC6954B375FFC5489285A8531,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:07.401{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51286-false10.0.1.12-8000- 10341000x8000000000000000125376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:10.263{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000125375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:10.263{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:10.263{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7c6f97.TMPMD5=E28227B6D6E494469AE6EF4D3E29C7E8,SHA256=FFE486831FA5E731F94AEE76A4513D77409B0F6376D19058D532A16B272B6CC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.386{6DD70E3E-B9BA-62E7-5004-000000006B02}37603936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9BA-62E7-5004-000000006B02}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B9BA-62E7-5004-000000006B02}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.167{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9BA-62E7-5004-000000006B02}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:10.168{6DD70E3E-B9BA-62E7-5004-000000006B02}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000063259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9BB-62E7-5204-000000006B02}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B9BB-62E7-5204-000000006B02}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.995{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9BB-62E7-5204-000000006B02}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.996{6DD70E3E-B9BB-62E7-5204-000000006B02}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.698{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9002BD8067164864BA6A6541DCFCBF5A,SHA256=E9094973DDDC9428E0B6B132D270E7A0ADB1CA18FEDB7B29939EE874BEF39594,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:10.124{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61672-false10.0.1.12-8000- 23542300x8000000000000000125380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:11.792{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA1AFF485920FDDA14F136397803D1B,SHA256=0E6BDCDAAD0917DBBC818478F89DD951C33E063E94177332C72ACCCD59A534DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:11.262{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=753440FADE5B7D5AD598B616FC37A366,SHA256=1D7D659E9EA402633D85B87422293DC7270F240D8279F1DA3B7F911DB74BAEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:11.193{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC3C32DA4C75BD496DFD9B56D3D7769,SHA256=D6ED9F687E8DE4F1D814B03D4664F7C2A0E1F409B9E494BE359320D9DD2EF2E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.526{6DD70E3E-B9BB-62E7-5104-000000006B02}32003280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9BB-62E7-5104-000000006B02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B9BB-62E7-5104-000000006B02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.323{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9BB-62E7-5104-000000006B02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:11.324{6DD70E3E-B9BB-62E7-5104-000000006B02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:12.792{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7445DCAD32D65DDD450C403480BF7A8E,SHA256=AA106F9B63BFB7EE002C5F1AA93CB19D2D17B08EAF0E6DF445DA1F9D914BA156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:12.809{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1BA0BC5B4F44F9CFBE03B2DA1F27E5,SHA256=230613CF8C9701E94C6371BED09EC9AC7946A3F51A18A245812319BBD012DF1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000063260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:12.214{6DD70E3E-B9BB-62E7-5204-000000006B02}37402540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B9BD-62E7-5304-000000006B02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B9BD-62E7-5304-000000006B02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000063264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.917{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B9BD-62E7-5304-000000006B02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000063263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.918{6DD70E3E-B9BD-62E7-5304-000000006B02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000063262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.886{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE4470C28E96FEEF080847F809FE096,SHA256=567FDD5E3A885BDF684FDA57B153D76BCE1C5B4999E3870B2BAF69B5983DC413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:13.844{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B8A2FA856C11AE1707994324CA5389,SHA256=F4FA7F4BF15D4A13B96CF963410C42C571B06633D01A923B6CC87B618AD6B90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:14.974{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284BAC01F0F9ADFCE6D7A81AAFA9F01,SHA256=DFF788DE89467F4F1C7886801898D4E25A0640E9262AAB49BE7FB624674DC61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:15.198{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6733C34D66D5B088FFBD8548944D4C3D,SHA256=4D8FCF9F3A97F7339A95283EDF70143E14B6348E300005A4302E0FB93752BE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:15.058{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DCF82418E90CC9058BBEC6C3629365A,SHA256=5F037D320F0EDCE56093BF1875C9EC48570B5B27148533670495A06BB912E9CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:13.386{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51287-false10.0.1.12-8000- 23542300x800000000000000063278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:16.292{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A254BBB2D52B167476EF16F6494B9EE,SHA256=C328E99CFD6A8B9CF62316FB16E0C0D4128C25AD0033871C61B002B273CB7D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:16.308{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:16.006{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E37F067EBEF6AE2097B6EFB3D02FF0,SHA256=D5FDABA44210DA711366C6E629A15ADA381053895046C8A50C300A622EFE855C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:17.686{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-131MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:17.386{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5624D3529C8D3F6A748D31EA6172F2,SHA256=CFC048C30CD6AB4E312639765D077694D9D418B4DA553DEE75ACDDBCC7BFFB15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:16.377{99CEBDD5-9A1C-62E7-4100-000000006A02}3432C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61675-false169.254.169.254-80http 354300x8000000000000000125389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:16.350{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61674-false10.0.1.12-8089- 354300x8000000000000000125388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:15.250{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61673-false10.0.1.12-8000- 23542300x8000000000000000125387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:17.029{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC407992656E5B72C54D5194857172E5,SHA256=E83EBBEAE71783B654D81E9CF5414188F003194CA88E240128B6A47ABFD648CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:18.683{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-132MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:18.589{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3109D9ACDBBB01A42EE8B3143413DA,SHA256=B855654CBE367F73423522374FE8F3F2FC9A47E1E8121604DCB102C513AA1D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:18.174{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F32C0F0EDCCF57C48E341E2D45C1EF,SHA256=CFF0848AF4FFA4B7A843740A5C5EBC16397ED68A709B77C4FC6D5280791ECA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:19.684{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C31BF29BD29229EFA9B3384E1DA209,SHA256=D21802C436E356B71EB42ABFC36B30FA4A620296A3B76BE47C3AA710A6CC4648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:19.226{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C705DDF8BEEAE5D311DB050DEB95FAD3,SHA256=99F64CE559FAC091D9CB19FF5F15B17AEB3AB6FD9973D24D69F8E6ED4B516D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:19.204{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:19.204{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000063285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:20.778{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2B5384F889AFC50A4D9D72B2C5983E,SHA256=C1C43241DDDC379439617E16568C0DEE40EF2BF420340DE48D9D8352419EC0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:20.272{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B71019CF19C6DAC4CA7FB5E53A423C,SHA256=30ABE1280E7C9B281311AB1579FB0629BDBCC7D6A0B7F0CC691ABD3CB733F91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:21.981{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7626580A07D9A64375ECE69B0F6C3908,SHA256=76C2A421273A2D2200844E9D1CDB5BFF7905935C26F1B140B927D8D10C4EAD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:21.387{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE6250788084E52F97F53002D17B00D,SHA256=CA6A099ACEF6378AD46DB140082A845A8205EDD0DB65F1C24CA46A3D7002FCA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000063286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:19.324{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51288-false10.0.1.12-8000- 354300x8000000000000000125398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:21.264{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61676-false10.0.1.12-8000- 23542300x8000000000000000125397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:22.523{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD41150DA3E05BD6DE029B5E8264F2AB,SHA256=D960149C7BA989F5A9037527E6EA61DF8260AE589C4A2C7A927084AF712F2F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:23.553{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE0C6442053D4F35DE3F6203CF7BD97,SHA256=012FA1B5FEDDF2E0E1C42E501F31A5C6B72648E8A9490B922560A3DDB4CDE10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:23.075{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336BBA5F27C32B8B9C5F5E4E035322EF,SHA256=853FA3D5303404AB252DD1BE03E9B375309186D72DB56E6789675B92ADD158BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:24.684{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571FAA4CE87FC5D1F2237B1341C274FB,SHA256=F74C51A486EFD90FE3B2420B5E2443DBB3C8797048793D104EF4A9106E06FC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:24.168{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7399FBAD3198669F8B4E4CC066D17FDA,SHA256=A1D549CD4E59C21987E55D9838E343C8F7393B47DD9129A6AF72DB494035305F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:25.720{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C4AB21E108349E8CA367F0D230543F,SHA256=ED9A608F70F9B3FB22DFECA9ECC9805F941D660412F81F89DB0B7749583E2D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:25.371{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236F65352A7CF35BCDD7F20AAEBE9264,SHA256=2C770D08DA2EBB6C56EE09B38E4B7D17EE2FE71A3CD52B985C7040113DB801C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:26.851{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7093A8F1FC46AB0E7CB618533FC195B5,SHA256=57768FE61DDAA9D5B5516799383702C0A3B9EEE9C720B511379A7A9F546064B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:26.465{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B738C09F56A2FB0E5E380F5950E372E7,SHA256=1B45B4CD5AAACFCD24D51A278CDEC3C9FE9B2C0E7272827A05C3C63E146DFA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:26.300{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4om6xl8d.default-release\datareporting\glean\db\data.safe.binMD5=E04568F6A7A2BB4D99187E8541293A4B,SHA256=455F3ADC342CB09A76FB5BDF08FEAAEF2F02ED1A6AF5483172B57F447DAF1511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.934{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0122BAE7FC648668A90218B31C8E35A2,SHA256=1A22CC510B9C830A3169F158C27E7B7DB7CBC71474B009EF5F962B7CC3BD18BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000063292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:27.668{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F2A041C912B50443A57927FED502B2,SHA256=3F5B6B709C72C73E45D5062F3E100821C594C28B516963C0DE9C5D4867207D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.603{99CEBDD5-B9CB-62E7-7005-000000006A02}76605240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.407{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B9CB-62E7-7005-000000006A02}7660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.405{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.405{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.404{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.404{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.404{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B9CB-62E7-7005-000000006A02}7660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.404{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B9CB-62E7-7005-000000006A02}7660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:27.267{99CEBDD5-B9CB-62E7-7005-000000006A02}7660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.391{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC2BF2E3D9B6C97CF085DCD8817CFF3B,SHA256=A91EF7C46A04F1043EAC768C33845D35C72079708A6AD4BA299ACD35A7F0454F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.258{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C38F72848F335FB8914E91B0030A88CD,SHA256=6BFE84BB3BE3DD69436E70FC5FA2BAADB133E509283DA310CED94AB545D5EAE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.185{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B9CC-62E7-7105-000000006A02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.184{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.184{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.183{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.183{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.183{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B9CC-62E7-7105-000000006A02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.183{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B9CC-62E7-7105-000000006A02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:28.036{99CEBDD5-B9CC-62E7-7105-000000006A02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000125414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:32:26.312{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61677-false10.0.1.12-8000- 354300x800000000000000063293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:32:25.309{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51289-false10.0.1.12-8000-