23542300x800000000000000062446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:29.666{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB62EE98A5E24462DB35EE38AE78DC62,SHA256=1100505DE087A16E1A6CFF91C5427C0D44631265F4CB640F3B657043124FCE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.611{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-126MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.444{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CF63128BDB676E2A63A6687FDDD335,SHA256=309E3CB2E3440C72C3DDCE5F92CAE1A55FD09EEC711559CE1D4B329C2E2BFEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.063{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF2A83EB115118F56A2A620979BEFBAC,SHA256=265A5A184A44166B7B23EC82657B2EC836D5D4D72145B091DC54CF9F994847A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:30.978{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0046F18B78E8CBD9CEB773C882A2337E,SHA256=B8D508BD404E9716350134B00A2AC18F4626E48DE7F1A494FC8A497D0D558864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000123986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.924{99CEBDD5-B8A2-62E7-3405-000000006A02}85566900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.744{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.742{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000123979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.741{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.741{99CEBDD5-B8A2-62E7-3405-000000006A02}8556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000123977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.624{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-127MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.462{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309F5C1CA5BC39AFBAD8F8C61D7BDED,SHA256=A8AD5285B59E37AF779B505EEB583F31DF43FB3F985B37B7817FA14735F822CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000123975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:30.462{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B2CF50F5C72C214B1AF16588608BB6,SHA256=A11902734409ACEAC7806FA36AD59E0CA5968F6B7D4DC8FBE1FF3368A00E724D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.978{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.980{99CEBDD5-B8A3-62E7-3605-000000006A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000123998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.627{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000123997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:29.627{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 10341000x8000000000000000123996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.578{99CEBDD5-B8A3-62E7-3505-000000006A02}85926848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000123995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.562{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C276A03B61F37783DF2FB8EC4F7C04,SHA256=48A5D500AA8CEC3417F602B30DE9B82E0A0230E14B4A656D43EBD8FB46E1E689,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:29.386{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51231-false10.0.1.12-8000- 10341000x8000000000000000123994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000123988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.409{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000123987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:31.410{99CEBDD5-B8A3-62E7-3505-000000006A02}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326728C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.878{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.879{99CEBDD5-B8A4-62E7-3705-000000006A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.594{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7F6603CC6B18655BFFBFA7E73386F7,SHA256=D63830F661032FCFE28E6F225140792EC3852A7C18343E57A1869231D733B05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:32.072{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73111E09D9D5F79C6B56625257EE0851,SHA256=3C28A557512623421D5169A3C81EFCDCC63EE57A9D8DFEAD4628B58263FC15C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.425{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112718MD5=E3857BE5211291BCE3E08EDF657A5231,SHA256=B64EE0E83AFD0AF62F3B2EA055B25AB13C6CB01C2CBE103E2CA3F59A31886350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.145{99CEBDD5-B8A3-62E7-3605-000000006A02}27442172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:33.724{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96401DD1294384E37FE98F781D1360A6,SHA256=7F4173B7A5E53F84EEA03957245904AD6C591C337E3E06D2E4E4EDA6652B2EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:33.275{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABEE9C68158815F32E825ABF8C53D21,SHA256=B5F52D589FBBB46449EAD93448402A6F52FA0F363AC194C108A500C21D2748B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:34.861{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FC048B411554091BF751F4BFC5048,SHA256=5BB6750A3142F4608B3B7F23FF9CA0868D401134CF5704865EDE2FBD11250D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:34.588{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80340DD8CECDA2D63A6917FAEC405203,SHA256=748052B2FD5C769E0AD89F0DDD8925F9A76E6CBF55B4491CB37B182B9227D07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:32.327{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61608-false10.0.1.12-8000- 23542300x8000000000000000124021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:35.907{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCACD87DBB03716B36420E01D28DED8,SHA256=4BDBD56BB2D5EEE3D26EEEE433C73735B5E6F06238EE35B02CF917442BFA9C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:35.900{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2EB1EC5E2EC28A0755CA0E8BE808D2,SHA256=990F035C6D1CD449F4E84AC96AA0945BC11D989B2364004F193C6CFDAF1F6677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:36.994{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38570C86BAA5E10565CC74795A179C98,SHA256=21A312C4DCB504811B992E4E7758858224E6400C9DA3493A1BCA85146EDCCDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.773{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112718MD5=E3857BE5211291BCE3E08EDF657A5231,SHA256=B64EE0E83AFD0AF62F3B2EA055B25AB13C6CB01C2CBE103E2CA3F59A31886350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.757{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=8F09E7672CD428C5743D32E3AF8797F6,SHA256=FED4A36E350E32409A9BFCDBF70E9492811B2F6685DF6BFE555E2015BA9D8B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:37.058{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6335DC1B389F4B4BD514ADA0E88451,SHA256=518796478E5CDBC84FCC83207678BAF015308653A202252E5A9DC44CF93147A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:38.104{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C70A2C1BDC6BE4C9EFB41073563D9AB,SHA256=26F7A081EBEEF11A38AA227527B892F82E8E55760B55E2967417F8A8080063AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:38.916{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EE8A03892EAE8051233B2AED5EBE73C9,SHA256=D7CC730E8DA8DA1CC8E6632C0EEEB100B3D4CB0D20087B8C81C1CC31C6A06C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:35.230{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51232-false10.0.1.12-8000- 23542300x800000000000000062454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:38.088{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5A701F6A7ED60151872A775147768,SHA256=183F8B389093F59BBB69F82689D6841BEF58139385EA6DB9A153E2C6E6D9DC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:38.122{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61609-false10.0.1.12-8000- 23542300x8000000000000000124026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:39.155{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BB06E01A8D75CA297B6D6217089E0D,SHA256=F11ED3059918EEF53250E3EAC7489877437D4C0FAD2AA0FD26FAB5230A0F13D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:39.182{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A359EEF811B5BE8EB0E7582C1F9475C7,SHA256=3F4260A30DAE8F92788E4ECC0D3A92D6383EF45D5FA41180778CFB0AE6CAF26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:40.201{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C5DE138C99A18E2459CC908A5DD50A,SHA256=2B66DC73BF2EDCB857EED8BFEF643AC2B7A7E659A6D30671619DE6C5155A3692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:40.385{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672FA73D512418B643DBB798C9FC2736,SHA256=AE6524EBA8806876F95816040E8C3C22E87447EB3EC4A333E5549FCDCEDF0C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:41.253{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE6AB9FCE0845E9EB0F8F596CE6A7B4,SHA256=DE83698BFE337EAB6FC54EF340FC93992E0B96160978BD6030C7B36C0D8708C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:41.588{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089B51F646434272417928484EBF1758,SHA256=ECA08EB2BA85AD4644B6905ABA1EA682809F822B93D42985574B77193A751BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:42.681{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C484D34753CA5E4CF7122E6DB87AC13,SHA256=13D5185BD8DA6C9D0871E861CDCF879BCBF3478A11DB2B92FEAB5DC1D3FBB0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:42.285{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00C5B004884D60B54A14DD7CAF20E84,SHA256=ED6E57783B9EF153F595F67D440B4641611B5F7BCC2F693B326C43E35833F9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:42.052{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=72C6E6D9154368FC00445F244C26C5B5,SHA256=A97E6FB2BDDAE8C204F84BEBD42B67381F6453D93A6F3C25BC754C0AB252460A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:43.885{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F2B7A7681CBAFB808B135DE35A7AE2,SHA256=547E2995A05148E7388E42FF575F940C5719BCF68D8B08959EB8E4A5F45B715B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:43.333{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9FB6F91686F2031D8D087A473ED100,SHA256=1ABD5A50A031BEC291B2BD19EA99000A8439DD951A0A2B79DAA5F028F6A2922A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:40.417{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51233-false10.0.1.12-8000- 23542300x800000000000000062463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:44.978{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC33353B9779FBB3AB97A7CAFC9E17,SHA256=58D6640D2E8DDC33AB36B3C3BD75F8D2EE636B6868E694187DC2B3FD9A5D6CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:44.369{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A45FE44520FC668F68F1B4B587F0E75,SHA256=AD8339BBF51322BB0E60DCCCF9D7EB1F76E0F86E6E3C43571394A588F96EA01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:44.097{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61610-false10.0.1.12-8000- 23542300x8000000000000000124034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:45.500{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F01FF6E87B9A40F8FCE7E289EFFB7BD,SHA256=83F75331CC929C55DB350E1E77B746D40C8385D72B303F969F990AAE9D01E2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:46.632{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC116C96D14AEB1D1657E81BBF2431D,SHA256=CD9BA432F3687A8784568E314A8EEA5BC999AE6FBAF4B255A4F80A4C80420EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:46.072{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4D1FFF179C88419E12632F53EBCDF5,SHA256=B0506F72E9CD2C35C141DB1EBB639075CDAB96C65F3568B3CACBA0EFDD0D3325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:47.667{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C9C33E864D4D1CC5B1022E4C262A6E,SHA256=0F52E3FD1D876B971C7EFC614F039350F4D0F561C2A0B97D2DD86EF1F711237F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:47.166{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49191F7A0FF2E7562DBF483978EE4552,SHA256=E1D866371521DF447699BCFF6B7D11B7FC14C2EB7F33DE9E1987C542513EA33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:48.712{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861E6317318D1A0677533E7F13F53B2F,SHA256=970D89BD9371FDC2D2BE3571A37368A37EF4F9FBDCC45D519337312E8DB2F513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:48.260{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33334DCBBDA02ED87682A128FF98788C,SHA256=21DE8AD35C257C4532021D615CC92FDBCF96F1584ACC880FFFB2898BDE6C5C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.928{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.749{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A3360DA949C98836D256BD69D2361,SHA256=98AF6A12CDE3A9EBCE9345FA26548EA5FD672E43FB85E65C995964ECDA8E3CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:49.353{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A55A9F5D5747B04FC7669F66FFF5EC4,SHA256=733893202D3A41DCB0FC306CB62CF7BFB24044EF723CFFE331BC6BB3E7C17859,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:46.276{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51234-false10.0.1.12-8000- 23542300x8000000000000000124041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:50.794{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64DF097AFBDC0789E0A12B965D1C39B,SHA256=EA7036710D50DF86F50F1D1C9612FAD9A7F1D762F31027907007BDD8475BD4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:50.447{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901C2833A07AC99BD691B3E4666E8FB1,SHA256=DDFB70E833FE46688ED908EA63B956D81BCA820CB6F92657BFE2323AF0A5FC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:51.827{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDA420B71DD3AB386BDBFDFCB8D0E29,SHA256=F628622A24A23B73EA99179B4440A6BA0A0AA4C2C4BBA197FCCC24134A42F4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:51.541{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE3CB00AD89B85D09BD5661CBF00D63,SHA256=9EA1D014F5E94D8E97AA17B69D0A43BBD47890BC4EB7864CCE246DE963CF1BEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:49.292{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61611-false10.0.1.12-8000- 23542300x800000000000000062471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:52.853{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC1F5572C1BDC7EE643A6E91BD141C,SHA256=2503C55D1AA837A667E36318D875366E45AA214EDAB50C983222AADA31066638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.963{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEABA3C2F00A19A45BA6D84F6D53D2D,SHA256=B1FD9CCB17FF187C0B3A6D86F1A541905087E3B84CD791AC34F994AFBC3BBB1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.724{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.277{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-99EE-62E7-0100-000000006A02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000124045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.162{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.162{99CEBDD5-9A0A-62E7-0B00-000000006A02}6327520C:\Windows\system32\lsass.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:53.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32898C8C13738DDB8C5055A62DC23D,SHA256=E66809B5EB582A42FB7E6D56F6F2C6A8F5B86F4E61815FC2E30424ADE5AC4763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:53.307{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA6BF37D363E6DD46D8CC7E46D88F737,SHA256=5816D09FC6759F383D547D1AAB182AA9CC11C19CC28D672A44E014ED1F13B014,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:51.339{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51235-false10.0.1.12-8000- 354300x8000000000000000124058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.799{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14malware.com51714-false142.251.32.4ord38s33-in-f4.1e100.net443https 354300x8000000000000000124057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.796{99CEBDD5-9A1A-62E7-2D00-000000006A02}2748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local51713- 354300x8000000000000000124056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.345{99CEBDD5-99EE-62E7-0100-000000006A02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61614-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local445microsoft-ds 354300x8000000000000000124055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.345{99CEBDD5-99EE-62E7-0100-000000006A02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61614-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local445microsoft-ds 354300x8000000000000000124054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.236{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61613-false10.0.1.14malware.com389ldap 354300x8000000000000000124053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.236{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61613-false10.0.1.14malware.com389ldap 354300x8000000000000000124052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.229{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61612-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:52.229{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61612-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local389ldap 23542300x8000000000000000124050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:54.006{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A77506EDFD4C4708ED7E18E53298F9,SHA256=7A98F6EE465EE8A9D95AE16DD67033919FD7345E61FBEEFD4DF46AECBA3BE5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.931{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.744{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E58CF5171A0744CEE860C14488499BB,SHA256=C69EEBC60EC324CC1DFE07224DC1DD4B5B736D64391C6EAC753C6FE432B26A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.150{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE584D90C601F0D213917B52BCEEB695,SHA256=8E5D3B033F5F97C5A2A281188E3155487F40A40F0B74639923EC251006B87351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:55.126{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C58469B1B51D8B11996EE7F48B118,SHA256=49FCDF1FEBFA2B8112011848ED360855A2651C726EB9B13768FA3BD4D93885E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:56.353{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DD2ADCB7A03FE52C0C3A2C46C50BA0,SHA256=A1D2E8C68C9798206C2F2C6D9B1A80353D38DA45018FC23BE0B1CD6886CBD5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:56.157{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035116E63AE060CF12298C93C27B0854,SHA256=56F67DFDB67E7D1287FE726C68C101CB74C775FBCC42BB6D9F7CBFD91C983462,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:55.073{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51236-false10.0.1.12-8089- 23542300x800000000000000062478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:57.447{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40EA08B163BA1C16A86029DBB1090D1,SHA256=E5C206286F285B3419DFD4C2D76AC122A97C45A8623A750E29DC90B412A47701,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078961e) 13241300x8000000000000000124070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x5e3cb64f) 13241300x8000000000000000124069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xc0011e4f) 13241300x8000000000000000124068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x21c5864f) 13241300x8000000000000000124067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078961e) 13241300x8000000000000000124065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x5e3cb64f) 13241300x8000000000000000124064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xc0011e4f) 13241300x8000000000000000124063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:27:57.970{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x21c5864f) 23542300x8000000000000000124062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:57.319{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08481DE19B31FAD05F531AF63E66BC9D,SHA256=9A0CC04D80DC38C2BFCB3BF37D4F4E7400EF0586E03B39DBDF920B9B35F8E9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:55.110{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61615-false10.0.1.12-8000- 23542300x800000000000000062480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:58.541{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7732B24AF1CF8BFFAC5F2BAAF937E3DD,SHA256=556CF6EA40DB89EE924C9EFC851CDE2816A6F77A3B480DDFFF724990138C08EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:58.486{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95CED48468EE0E51208E63BE65E7A372,SHA256=C52B5C39FED5856F6257EDFF17743FE9F424456AABF1116FC9B9EBC7C7CD61B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:58.355{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3D2D2C84F085E16ACB258BA8FDFDA1,SHA256=6AC2D064F17620FA2064E78C8C5445128C07ADB740A81EF587C91385811456D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:57.370{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51237-false10.0.1.12-8000- 23542300x800000000000000062481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:27:59.744{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEA29D1DA720B8E18EE711517B0A31E,SHA256=2B46F6E8EF477F8B7B7C29D5F55FC4833490917E0252FE60A8B8DD9237CEBDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:27:59.486{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FA80979E5FB00469439C501531F728,SHA256=44A522C2BDD76E53CA676107141C40AF3B01D91A1E198C5CA94898F77E8FC1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:00.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B3FA9976A9B974181503445D5FD0EE,SHA256=23F14BCEE69B313267A90427E1CCBE5FC4CABF5DF62067BD76C0B33280E3F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:00.518{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034AF63A85E53C2D9A7FDCB62023E8AE,SHA256=6683E0636F860F74966646A0FB95B50BA5391FFD77323256088ACA986E7E6CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:01.654{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571D154B14FEDE62454CDDE218C149D9,SHA256=AA6BA48277EEE5B7E0F02B3FBFCE72E2F43B481620CB48E3CA6B4669B8FFAF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:01.438{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC4791E2AEA605E336BC9B3D533227F0,SHA256=58F146EAD94E70B9A5D39C25192D1726977F8DD8F4942A0320AB2D1560BF9F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:02.684{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F027E3226B99820436BD1C51DCAAFF6B,SHA256=A2D6DF7837E02019ADC661789B42F81C14E92D1F4D1406B35455FECC71BD00B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:02.041{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD5DDA73399A06C7CE4B08344A3978F,SHA256=FD47F458B4F25995F697EED80F3F7C29294CEE675D3DBFB80F1CD8EC313EB403,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:00.166{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61616-false10.0.1.12-8000- 23542300x8000000000000000124081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:03.737{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AE2CBA8691D6D3246D59DC34E5B95C,SHA256=E7A885B73AFA99AA7A7620B66040583DA8BF6E5E40D6DF8C4B07E8AD9CBEF244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:03.135{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3DA7B2C756360FD818D9078E4881F9,SHA256=9B70DC0406B66EEBFA019DFC0B066006E936F2E0BEBAF4CA00A3C90CBDE5190C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:04.867{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CF83666D92ADEF4B8E7AFED2D3C6EC,SHA256=F928B0A90B11EC8AA19DC81D3602E4265C041405BFFDCA104542BF82D8487417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:04.244{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C17D56A302AECA9C74173082E00DA,SHA256=673D7DE23EFA03BFDF10F0E1FACE671D408F2C80A1B917251583D39565476113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:04.116{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=006340520A1CAA5FD44CC923E9376961,SHA256=D48CC34B20918EA3E9137338F9685C3DD5BCB0DD715A9A7022797B693F0023E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:05.981{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8BA87CD90EA62C00D35F68A6EEC19,SHA256=BCE24BA3C2DF3AF8F9FE17BB9B3A46B33ABB109308016A50A1A526E714784175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:05.556{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C4113189840DAA8D9922864249BAC1,SHA256=884A6F49CA353583AF82E02CAB04A1F0B877DC2D03A77FCA2AD2AEC61DD94930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.963{6DD70E3E-B8C6-62E7-3104-000000006B02}33483192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.713{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.714{6DD70E3E-B8C6-62E7-3104-000000006B02}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:06.650{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8C53E6493A3BD098AF7F8032B858D8,SHA256=035EE2258B051F230050C2DA7950A7EBD349BAB38E0D7DA5CBE3C341EF38F04F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:03.245{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51238-false10.0.1.12-8000- 10341000x800000000000000062531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.873{6DD70E3E-B8C7-62E7-3304-000000006B02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8305C291299EA7371E6EC9491CCFCC6A,SHA256=821CE88CBC4DF0AF4313E1E95D12D37774379DBAD1E7190BFF432CE09EA27546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.869{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8155DD4B2DA14A7A4E9E31087F3233,SHA256=5D4D2CFED357FA2FB83E835AEB91360BD2F4BCCDD5626DDD5627B33ADDC594B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:06.199{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61617-false10.0.1.12-8000- 23542300x8000000000000000124085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:07.114{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289370B0DDB4E7EACCDBFF655DFF3E16,SHA256=628F7E7E82711E50E5D261AE3F1CC580C0166A613860EA2A629CA93F14095183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.213{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:07.214{6DD70E3E-B8C7-62E7-3204-000000006B02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:08.947{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE1534448837FB1A006DC6FC5B2A9DF,SHA256=3E44302E469BE52E30519D0F080E60F55574BDFD3B8A3A26595065C8E2C17A7F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.696{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000124091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.680{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6BB3AF8C-7492-43F7-B056-5E9FF3670852\Config SourceDWORD (0x00000001) 13241300x8000000000000000124090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:28:08.680{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6BB3AF8C-7492-43F7-B056-5E9FF3670852\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6BB3AF8C-7492-43F7-B056-5E9FF3670852.XML 10341000x8000000000000000124089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.680{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.680{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.149{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE15D026D1F212D747F3A5CF69AD70D,SHA256=C551864196318CBE8F9AFBF41E52DF1BC87F7A13030C53D7F34ACA66DF64B313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:09.197{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8B5EBE9A1ECA3243F5C7CF7B79AECF11,SHA256=E34720F79740CC5AA618125506ADB0B5A748D0010980E33DBE5C07889B272CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.534{99CEBDD5-9A0A-62E7-0B00-000000006A02}632792C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.280{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB516A63AA24F0A2C9916B0477D844A4,SHA256=8B353C1A7F0260F94ABC78C3A8A6D37C62544F27E857863D208FCF472AEBA817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.651{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9BA4F7F55FC2608CC0124402647BC82,SHA256=8C6402A9246D907D48B2B060C7FAE6CEC3BE5F3E6FCA56E7B16DFF70E750F052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.549{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.549{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.747{99CEBDD5-9A0C-62E7-0D00-000000006A02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61618-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local135epmap 354300x8000000000000000124104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:08.747{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local61618-truefe80:0:0:0:c959:6a91:6028:5705win-dc-ctus-attack-range-506.attackrange.local135epmap 10341000x8000000000000000124103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.365{99CEBDD5-9A0A-62E7-0B00-000000006A02}632668C:\Windows\system32\lsass.exe{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.315{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677739899D0DD595355B468F426E682C,SHA256=A37CEC3EBE0BF28589373B3D2DBD6D3D19FF546A7AE270FBD43630A23CEF782E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.338{6DD70E3E-B8CA-62E7-3404-000000006B02}3844068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.259{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6925CC0DAC65E166BB7147B856CAE1,SHA256=666032D66E27715F4181118B78DD32C59BD3F5BDF535892C7DB55C8908E80239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.166{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:10.167{6DD70E3E-B8CA-62E7-3404-000000006B02}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000124098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9A41-62E7-8C00-000000006A02}49404420C:\Windows\Explorer.EXE{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FB658CD8)|UNKNOWN(FFFFF511E5997E08)|UNKNOWN(FFFFF511E5997F87)|UNKNOWN(FFFFF511E5992611)|UNKNOWN(FFFFF511E5993FDA)|UNKNOWN(FFFFF511E5992296)|UNKNOWN(FFFFF802FB36E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.249{99CEBDD5-9BF7-62E7-F600-000000006A02}1644ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF78c607.TMPMD5=E28227B6D6E494469AE6EF4D3E29C7E8,SHA256=FFE486831FA5E731F94AEE76A4513D77409B0F6376D19058D532A16B272B6CC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.599{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61619-false10.0.1.14malware.com389ldap 354300x8000000000000000124113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:09.599{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61619-false10.0.1.14malware.com389ldap 23542300x8000000000000000124112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.448{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2EC49FBFC4CA4A3845E295FE55D8A5,SHA256=E74BF3E7ABB35445234C8C8E51302F8BAB3AC554A2B45EF16670C456BAFA5700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.951{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.952{6DD70E3E-B8CB-62E7-3604-000000006B02}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.592{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\respondent-20220801091656-127MD5=27E9143B9CB90649B07EAF2F4EF1772C,SHA256=A1ABCC2732E4C7E234845602CC2F5F62DB7BFA56C76C6EE76535F9D8057806B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.481{6DD70E3E-B8CB-62E7-3504-000000006B02}37562520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.277{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.278{6DD70E3E-B8CB-62E7-3504-000000006B02}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:11.246{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF330896760BEAD5A8966A2C033EFEC7,SHA256=DDA84B908CDA49F2EDB7C0AB51C078418C301A1782BA2FF7A780A2418E35AAB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2A00-000000006A02}2644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:11.232{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9BF7-62E7-F600-000000006A02}1644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.594{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72C484518152942DE783910EEDD4A82,SHA256=AF24672F43710C246D235562A30CD30AB278F520C86550101CAB4421F91C2075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.429{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14malware.com61620-false10.0.1.14malware.com389ldap 354300x8000000000000000124117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:10.429{99CEBDD5-9A1A-62E7-2B00-000000006A02}2668C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61620-false10.0.1.14malware.com389ldap 23542300x800000000000000062581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.593{6DD70E3E-9A06-62E7-1C00-000000006B02}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d3c3f526c7193f2d\channels\health\surveyor-20220801091654-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.451{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F377D8F7722DEB06A3BB81C197CE2BD,SHA256=718263311F9572F109B6C985ED79ED0A0AAB63690882740B83CF0CAC31194213,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:09.261{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51239-false10.0.1.12-8000- 10341000x8000000000000000124116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.147{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.147{99CEBDD5-9A0A-62E7-0B00-000000006A02}6326768C:\Windows\system32\lsass.exe{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:12.139{6DD70E3E-B8CB-62E7-3604-000000006B02}33682544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:13.630{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02508C27613E08D7E606922779B03F2,SHA256=C50A7E20DB46BDAD4C95FE7AB2E08E6327E45E29E19AE78ECC1D904FC7410DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:12.127{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61621-false10.0.1.12-8000- 10341000x800000000000000062595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.920{6DD70E3E-B8CD-62E7-3704-000000006B02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:13.326{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65A2E7EB136863F23B80DE8B47427AD,SHA256=4438509ED9AAB5A9FC6FCEA8D35101347095680ADBA351E89229A9BAB39644DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:14.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413246371E2493A49390B2E61C46893D,SHA256=28D9AC0B7EE3B6FD7411826BB6C76CB4523B302CEECD705BE1D5CC8335D032E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.676{99CEBDD5-9A41-62E7-8C00-000000006A02}49408776C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A41-62E7-8700-000000006A02}46164672C:\Windows\system32\taskhostw.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.661{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB025D26B96111462B2907A6E921773,SHA256=C396E12559C11D28B63D681E6A94B270FB83AD41829922B0B94CD15F48137730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49406820C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.645{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.630{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A3F-62E7-7D00-000000006A02}3228884C:\Windows\system32\csrss.exe{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.614{99CEBDD5-9A41-62E7-8C00-000000006A02}49409452C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+20f438|C:\Windows\System32\windows.storage.dll+1665aa|C:\Windows\System32\windows.storage.dll+166302|C:\Windows\System32\SHELL32.dll+4c89d|C:\Windows\System32\SHELL32.dll+4b436|C:\Windows\System32\SHELL32.dll+6cf99|C:\Windows\System32\SHELL32.dll+e085e|C:\Windows\System32\SHELL32.dll+154f20|C:\Windows\System32\SHELL32.dll+17acfc|C:\Windows\System32\SHELL32.dll+198148|C:\Windows\System32\SHELL32.dll+17ae96|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000124122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:14.619{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"C:\Windows\system32\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{99CEBDD5-9A41-62E7-8C00-000000006A02}4940C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000062598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:15.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC2AD870F5A6AC97F5692CF7663A9B0,SHA256=B2CC62F5639BA1F1360F74016C1BAE511BCF5A4C4608EF3306E5884866B01710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:15.692{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BC4C566F6CD8DDEA9C77C78CE6930E,SHA256=528A14C0CB76CB692D18810C7FFE6C46659351B9979427DC45B5A646F5FF84D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:15.661{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0418540AD46DABF1A0AA3419CD5D1A,SHA256=606B1F287348C192A0E4F678D31EB9C10FAB43BCE6E8086286BCBE16AB600230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:14.998{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1FF96A0E36F214F0F4F9A1A6971E1EC,SHA256=8FA97D3693E12DD46D74725CB8E053D1E93B7E16B80CE565D3CF30DEE478DE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:16.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB316BF6B09A6BC3530A1CCFFDCDFDF,SHA256=7313673720017647530EBE98E0417FB55ED2044AAB69781DC8B5D9EE35DEE0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.728{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1886BB28C099D948846E7A8A3973A5,SHA256=A428A138DD661BF86C8CBCCF9B664ACF0EB244EF8BB9E6DB2C58EDCA9870958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.211{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:17.874{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7C7376AEB3BEDE62A251F92A9299F8,SHA256=C95232505F248300A4C4D8A8178A40C37A3A158EF3B9F9CE783A71F0848CD630,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:15.218{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51240-false10.0.1.12-8000- 354300x8000000000000000124151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:16.256{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61622-false10.0.1.12-8089- 23542300x8000000000000000124153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:18.906{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90FCFCA77C431105F191EF6DB203F62,SHA256=2263D11950BDA045D6DB82FC9A83BA0EA8F752230D22A42DC6022B5F442C786B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:18.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5116CB127C7B5E77BC595B7A8D4D5219,SHA256=120AEAD56B5547F2147A6AE8F38314E99CD1EEC09F4C1460E81D72EFFD87140E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:19.909{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5249E2361AF20774928953522AD708C2,SHA256=0465CD1E48C76440BE7123018B75931BD6B3A2F4E394AA9460100C4F07E47E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:19.342{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5866BEAFEF6104664405C3B5266818,SHA256=991D007D07CF64C442EC479B1C1C9BCA31773D148A28B4C05507138BD39863A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:18.107{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61623-false10.0.1.12-8000- 23542300x8000000000000000124157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:20.943{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0424C8FD88CA3D05FD9499C5C7F3541,SHA256=3759D26154264B210BAB9F8756F6421DA31CD6AE30C4317AF02D6073467738CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:20.545{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247524F4384806764788CD903F9F35D,SHA256=20B32FE84560F21F661D466E3DDCEF78BFA7D9A0B886E91CE1574370E45775E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:20.828{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:21.989{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0149035A2880D269053F6A83F41B7,SHA256=1C10A2BD62310C29C5AF6B79912733DC0C3BD230253B09E87B30192895040FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:21.748{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F36C47032BD11D7A8E10666CEC6EACE,SHA256=423CC28F034796E835BAA6E702987851C3FAF81AF7A13EE66F3AB41B5678BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:21.406{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:22.842{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7C261D7926D4E08B535821DACB7975,SHA256=D0C43712ACDA161D0147ECA78A41EF3DBCF0C37BA255DD755F4693127C59054A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:23.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D71BED28A2280FEF1B814A5B207AC60,SHA256=20899D9A1D64F02D8F968B43B8DAEE3AB9557208037A0561828E8B637A322DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:23.026{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C559990F0FA87C86C0B89DB292DF49,SHA256=3B5C6271A8EDB9C19DB43128194F758D456B8D5BB89BB7BE8586EF5C69F05B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:21.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51241-false10.0.1.12-8000- 354300x8000000000000000124162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:23.190{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61624-false10.0.1.12-8000- 23542300x8000000000000000124161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:24.071{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043AD401A8333EBD2F7563DF5D4A5010,SHA256=AAA2A2B971F4303294A7623C4969881EB9E1C178477DEB0D8CB662859DF64311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:25.103{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECD3C3F0CDD9AC2EA723AE9DD814A7D,SHA256=A58E205AB9AF014464375177F489EB85D0BC0A9114B1CF19FDBD38651F107477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:25.029{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FF2D092EFB2841FDA1F8694D75A241,SHA256=B21F5538B4823927F4FAC6B98A20C75B23441391F4C8391F7FF3322C9B54B81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:26.202{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBBE4016785496EF9B352EEEF69B9D0,SHA256=08239801AA74CBDC917D8A15203E05C9E225A3B73423988AE609695F629AA152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:26.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DEEFC421EDAA113A52792DC3A171ED,SHA256=3A14133726199704956235F908DDC215F7092710B391F98E67F8B0D09A4AC096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.521{99CEBDD5-B8DB-62E7-3A05-000000006A02}74328788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.336{99CEBDD5-B8DB-62E7-3A05-000000006A02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.236{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5210A51B230CFF2ACB61111738D61759,SHA256=895D57084F245D2900113B0EAFFA2B404C0898FC794344704ADF3D663545850E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:27.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28683952A67EAF4AF3FD0D18F8723B1A,SHA256=F780C05E18BE45DBFDE8CD8A28A332398034500637DB04175E17957EB1DAEDD7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000062619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000062618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00790c19) 13241300x800000000000000062617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x6f550b51) 13241300x800000000000000062616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xd1197351) 13241300x800000000000000062615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x32dddb51) 13241300x800000000000000062614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000062613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00790c19) 13241300x800000000000000062612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a591-0x6f550b51) 13241300x800000000000000062611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a599-0xd1197351) 13241300x800000000000000062610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-SetValue2022-08-01 11:28:27.076{6DD70E3E-9A05-62E7-0B00-000000006B02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a5a2-0x32dddb51) 23542300x800000000000000062621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:28.638{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997C60001E6D2E2E89C0EB919ED0A770,SHA256=573507F14C2EA88E541B7B6FFBC0330A15168A1B552625A05D81641AAD87B5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.851{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=52F7F5DD364B8D7537127AA3EF4EBD59,SHA256=49F2C4C52E222FACD5DE2D878A9F8C6E692A514F1874B2A36DF18AA86693C197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.651{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.652{99CEBDD5-B8DC-62E7-3C05-000000006A02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.436{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B72655138E022EB3C82E6E730A81432A,SHA256=B12E14F11D6AF66212054479BE021691EB0299A8BAA6A238AA83420152CB0296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.351{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B04337C2EDE1BE1386C68FE53BF6A6,SHA256=916072B9DFD67DE9BE160F1A8AC4605F29DC802710CF25680A8BC72B6DB3B130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.002{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:28.000{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.999{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:27.999{99CEBDD5-B8DB-62E7-3B05-000000006A02}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:29.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D2D39242ED9FD8E29001EFBA157959,SHA256=F6AE6777CB09B2B2EC5A29F97487B87ED7EE216B7DE019CC2EA5D90677E4FE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.381{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BB098562CDF1522474F602AB3BE81,SHA256=CD0AEFFDB53548D0F9EF9E220701D90BD928DC3AEC8132296E6A612141992B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:30.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3F478298185ECEE0B6852334984DCE,SHA256=46ACC78F8CE0342A43A1A23FC7C489EADAD49EDB976BDE661AB73A088AD58C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.935{99CEBDD5-B8DE-62E7-3D05-000000006A02}92369536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.630{99CEBDD5-9A0A-62E7-0B00-000000006A02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61626-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.630{99CEBDD5-9A1A-62E7-2600-000000006A02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local61626-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-506.attackrange.local389ldap 354300x8000000000000000124204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:29.162{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61625-false10.0.1.12-8000- 10341000x8000000000000000124203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.765{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.766{99CEBDD5-B8DE-62E7-3D05-000000006A02}9236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:30.434{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D1A808AC6FBEB65CF7C22943B94377,SHA256=F02F24A28387A76302B34573B3CFA80C2A3136B0AEFE57424D6394047BD9FACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:27.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51242-false10.0.1.12-8000- 23542300x800000000000000062625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:31.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD2EE3A3CABDAB27DF3010626ED3F5D,SHA256=4E6FC0380B3442B987F7AA8D9E10159048CFFA2E9982D656C66CC0D986FDCA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.603{99CEBDD5-B8DF-62E7-3E05-000000006A02}86888608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.534{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2D4FEA8ED62299481D161648AD295B,SHA256=CA5F21671A4BE0B9FA3C107674E219A2572B169BDD672CD5A1B853AB6A052D8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.434{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.435{99CEBDD5-B8DF-62E7-3E05-000000006A02}8688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:31.152{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\respondent-20220801091716-127MD5=C43D34BE2B67B59870C23F5D1C058A3D,SHA256=06E4DF658D34D48A70EC2DD38C98F92C1FEF70D2DB99183ED0883C06837ECC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.901{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.899{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A09-62E7-0500-000000006A02}408360C:\Windows\system32\csrss.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.898{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.897{99CEBDD5-B8E0-62E7-4005-000000006A02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.534{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96AE53F35378E0B57877542FC93773,SHA256=18F44ACB2A32B03D2B98FB7E4F5FDD4DF3D40257EC8F3B6496FF3B3D2C681A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.203{99CEBDD5-B8E0-62E7-3F05-000000006A02}89926836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.150{99CEBDD5-9A1A-62E7-2800-000000006A02}2600NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a360b01f5ce8cbef\channels\health\surveyor-20220801091714-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A1B-62E7-3600-000000006A02}31643184C:\Windows\system32\conhost.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A09-62E7-0500-000000006A02}408528C:\Windows\system32\csrss.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.035{99CEBDD5-9A1A-62E7-2C00-000000006A02}26763944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:32.036{99CEBDD5-B8E0-62E7-3F05-000000006A02}8992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99CEBDD5-9A0A-62E7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:33.580{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AF88079308702ED1225D741B8B0B1D,SHA256=F5E2FD3F1D8D108F6DEB343A4F0CF4CDF57CB8963E2A4F056274BDB913475608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:33.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6791ECBC08E1FC318A5D95523F32E0FE,SHA256=831F895E1EFF755518DF50FEE095CBF1EB439DB13C2571CBC4F47FD31749FB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:34.632{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:34.616{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D23E7451D780B861B86E734E2BD43E,SHA256=ACBACA01C80FCDF42C1E126053B41D0562F9694D4C5579238BD1BC09BA1E8373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:34.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBD1382CCFCB918191D79A738EFCCBB,SHA256=7744B39832DBE03DE4398575127CF69211A4EC056C49BE3B314EA6495C6C4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA7EED76667AF2440C144538082E3D0,SHA256=1371F922244AE85FB8BA9BFA4688220C2AFA1E37215A67759F03289E2C5A9199,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.731{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56bb7|C:\Program Files\Mozilla Firefox\xul.dll+85bfb5|C:\Program Files\Mozilla Firefox\xul.dll+84f19a|C:\Program Files\Mozilla Firefox\xul.dll+1a24cef|C:\Program Files\Mozilla Firefox\xul.dll+1772c59|C:\Program Files\Mozilla Firefox\xul.dll+1a4a154|C:\Program Files\Mozilla Firefox\xul.dll+9dfe7f|C:\Program Files\Mozilla Firefox\xul.dll+1f6be|C:\Program Files\Mozilla Firefox\xul.dll+181db8|C:\Program Files\Mozilla Firefox\xul.dll+180d3f|C:\Program Files\Mozilla Firefox\xul.dll+44822d1|C:\Program Files\Mozilla Firefox\xul.dll+44ecc42|C:\Program Files\Mozilla Firefox\xul.dll+44eda6c|C:\Program Files\Mozilla Firefox\xul.dll+1f70603|C:\Program Files\Mozilla Firefox\firefox.exe+19bfe|C:\Program Files\Mozilla Firefox\firefox.exe+27ac8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000062629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:33.280{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51243-false10.0.1.12-8000- 23542300x800000000000000062628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:35.529{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F85BEF9B019165FA6984ED60B0F6924,SHA256=D6EE70220073E1FA1315D7E30683F109450BEDE72D3742DC6E5E7D37625D6BB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:35.158{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61627-false10.0.1.12-8000- 23542300x8000000000000000124243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:36.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9428608C28123887DF4618CB9E3E9A,SHA256=661685DAEFF79682B747AF94627CA9CDDD85CB781A39828E3941602006038B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:36.732{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067A8164F6F4A9D1C8B4761723BC0470,SHA256=2D2B877738CA3B7AE750FDD96585B8AE2627B5CBBCFDFD0C91370DEDE832E1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:37.915{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869F40CCAABCDE8AA4781D9218F085AF,SHA256=A1E2778D6B3A348E0E1BF4668258BCBEC759EFA1E954B2D4D124D7417D7FA94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:37.826{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E78EEAE1928F0D0B7AF44DEB1B82FB0,SHA256=2431256D6AD7381EB2A72ED37CC49CC50C3BCCCCD3425EEE21E197F86ED346D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:38.961{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B3F45EFEAEE5E240597B1E1B637E4B,SHA256=66274E4FA1EDD9FA8D73E137665F2E2917721010E21F6F58664A7D7AE51D964E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:38.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EC149C495A8F13DD8186AC7B670F10,SHA256=E7B3A32796B54FDF7E6E3B87CCC66C703B0C504F4B9D782FC41068339A2778FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:38.529{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7A14A437D859781E1F49340562031D4,SHA256=8F9BEFA3ED072AC334736C8A6A50EDEA8B49894DC9AA17C57E58661D3A91757B,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000124247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-CreatePipe2022-08-01 11:28:39.860{99CEBDD5-9A41-62E7-8C00-000000006A02}4940\UIA_PIPE_4940_00005f20C:\Windows\Explorer.EXE 23542300x800000000000000062634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:40.013{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A053402E63B13DA3E8D235EE8DD6A2D1,SHA256=FFCC52635F235248A339D5A21963F1508B29BFB2D25E37EB07FAA917C51E3BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:40.093{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC22142F19C3F4B8B8C4A2FB118AD812,SHA256=756669F69AAE76021C20D2815C86206D419B965D8B7F2F0400F4E5EAD99245F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:39.311{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51244-false10.0.1.12-8000- 23542300x800000000000000062635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:41.217{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB200D56B14860E7C4751BB99F24B3,SHA256=FF22E4D602250EB4B36FC1DCE0A9F23D9E8F193E891BAFDB15B9BF9C5A473F55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.473{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000124256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.473{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000124255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.373{99CEBDD5-9A0C-62E7-0F00-000000006A02}104352C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.373{99CEBDD5-9A0C-62E7-0F00-000000006A02}1041336C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A3F-62E7-7D00-000000006A02}32283140C:\Windows\system32\csrss.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A09-62E7-0500-000000006A02}408424C:\Windows\system32\csrss.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.358{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-B8E9-62E7-4105-000000006A02}8372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.142{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E3CEA8615D2BD590E31B131ED4407C,SHA256=D1650CD0A6D53323CE005E6A471E23402E91BF2E15E191B59081C84D46004AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.625{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.609{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.441{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F212703105FDBB81AADFCD963F8B6C,SHA256=E81F0A6407996E7A0866C9279FD316DFD353EE80D32D3A01EBC7E3E4CF3FBE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.192{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEC547B43212204F4BEFF26B3B2B2E4,SHA256=C58613FE82DD0049CD233B7FDF03971E40FD4FAF57A7D35E139C6F81F9D942DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:42.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7D558589822B31D4B09CC8947B368D,SHA256=23748AEFB69041C99E0FFBCE38D1CC3648BFE93406DD7080C143919668A721B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.010{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000124258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:42.010{99CEBDD5-9A41-62E7-8C00-000000006A02}49405612C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c2d|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000062638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:43.513{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA49454AC29140E0B1847FE1E0D885,SHA256=9B35403FF7019A58A58F5D37AEC96F010174F3EA5458562271895E51D93C078C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:43.355{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8CE6F9C6D290E45D49C6D719BA31FE,SHA256=506820EE05BB4012C22A3EF00B941A7DB6742A255F5883AF62B2E3DE801F0DBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:41.106{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61628-false10.0.1.12-8000- 23542300x800000000000000062639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:44.716{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65ED20E13B9473D2850C5F20007EC518,SHA256=A72FFA2152BAF1BF630AE49B40805EE4DCBE0C9781F95E195C986287B3407392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.470{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3D5AD361DC7B0D73CBC21CF567CFAE,SHA256=B630AFEDA488733599BF482882272D44B4505ED2272B3B5E7AFF8EC7634FAA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-B8CE-62E7-3905-000000006A02}51486316C:\Windows\system32\conhost.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A0C-62E7-0C00-000000006A02}8326468C:\Windows\system32\svchost.exe{99CEBDD5-9A1A-62E7-2900-000000006A02}2632C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-9A3F-62E7-7D00-000000006A02}32289904C:\Windows\system32\csrss.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.439{99CEBDD5-B8CE-62E7-3805-000000006A02}34768576C:\Windows\system32\cmd.exe{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:44.417{99CEBDD5-B8EC-62E7-4205-000000006A02}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /out:c:\temp\dcrat.exe C:\Temp\1.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ATTACKRANGE\Administrator{99CEBDD5-9A40-62E7-8144-080000000000}0x844812HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" 23542300x800000000000000062640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:45.810{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF798E603EF60122F929FC1633FC1DF,SHA256=58FAE48CEE37849652CE58DCEC0A9CAA665E607FFA6E4971E67A8280190E1D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:45.492{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBAFD968FEC651EA28E6FB81CB2A852,SHA256=357125E4AF0963886A9B68E44E6F901BAE968B5A5ECCF9E8F3308E2BB6505028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:46.904{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4003BD2DE42F362EC257F36809A64796,SHA256=B57C2250A8F0B82AA4CD77FED5E54348B3B2BE462913B2A65A36AA3869619BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:46.640{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34599E052E5849E90DAEEDF4F8977C43,SHA256=FE89244287688AD462DA20EB95E28DEBA32756DFB89B808ABFA88CD9CB020272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:47.686{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6468968BE13E42CF9CD64E302652FD6D,SHA256=CC809132B1F04108C14ADD67F04209D44DE2666D7EE62712634C11C4CBA2751C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:44.327{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51245-false10.0.1.12-8000- 23542300x8000000000000000124283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:48.771{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795B8423145F591B9782B570BB34FA7F,SHA256=52837C7C4866877AD463E8AF0BDC0DE255D82A942547023F4212D48CDC0E4CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:48.107{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4150B81EC1EC6FDD72CA2CC6C1CD463A,SHA256=E1F6C3B692998D19D5243FA1C18B289921F730CC7180FFB0DB77B2E6F532793F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:49.858{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C035B0DA044A923BDFDCC9BD730D009A,SHA256=3E95D647DA8A2488054265D4CEB47D712506DB72B8942640054EFE01FF3BC171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:49.201{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D6AA05A5F12D039029E09817565DE5,SHA256=A0F806F8D273FEBA72F08AC525EE36992A6E2AC5F4829C455B85E9E2B13A2274,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:47.103{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61629-false10.0.1.12-8000- 23542300x800000000000000062645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:50.404{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6B14AB590189F63BAF6D08D822E230,SHA256=C4F2EE540FB94860654C32CA1CF4AA17AC4BEF62CB9CB5E83DE3279589F330DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:50.889{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91F186B7667F54CF1C53610A97B281,SHA256=3C5196F06A7988741E2FD1547B72F047C2057C3A22FE405406A315877B450BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:51.607{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4761E238804CFE01EB8364979DECF9,SHA256=CF12E43ADC9B9581C3D5FF918AF792606A4A466EDF2B76FB87D5196B5862B363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.058{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:51.042{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:52.920{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D373F509497A9C86C08E47C6010970,SHA256=A849CB2EE26AC162C59030EE1B71F2D75107DF9807F84604689378AB4DEE8B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:52.010{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C109F015A7AA1D9E8756DB219B32FB52,SHA256=B85B57C6E9707AE437C09F4CAC8FAE135C3E005FCCEA677CCF768132E158E91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:50.217{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51246-false10.0.1.12-8000- 10341000x8000000000000000124303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3805-000000006A02}3476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.595{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.593{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-B8CE-62E7-3905-000000006A02}5148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.157{99CEBDD5-9A0C-62E7-0D00-000000006A02}8887508C:\Windows\system32\svchost.exe{99CEBDD5-9A0C-62E7-0F00-000000006A02}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:53.026{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B830848AF0310E834A2711BEC1AAEBB,SHA256=C7316955FABC6B6FDC58FE705AE22666D96C496AA0CF7D1EB53A871FAA14E1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:54.123{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FE3D1BC4B89944BFA20E5E3EFC1050,SHA256=7B84B53CA3990CB55FE8C250D26754BC2597E2914E009908AE3F24847983DAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:54.072{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4B0F91B0B96CC826E69233DFDE4973,SHA256=764054712D55BC9DF1B6C7F6A5F059FBAB0CAE12655C44BFDADA159C613E3F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.951{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=25816E7C09E1460596D6E53B6AF1C61E,SHA256=F6D990CC1587F6C6F296BC26FCB2E41B41D69FFF06F141CB65E68263D89B9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.748{6DD70E3E-9A06-62E7-1200-000000006B02}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7906E9B605A8A12CDA312335F33A47ED,SHA256=22D8DCB9DF27F8331B4A561DBD88CAEC4B208B5A41419A41AF12A7DB78D907DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.216{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E57A6112227679C5799B242AEA465A1,SHA256=C917EE9C3CDB61235598D6A49E1CD8684660E4B92CB731B82DBC044A6C41B258,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:52.190{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61630-false10.0.1.12-8000- 23542300x8000000000000000124305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:55.123{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18505431CDBC34C72540529120FCD28,SHA256=2C25572786C26B5FFA6949B337B0E4A3EE66AAF8FFD6D1DB99E321620DB6DB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:56.420{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2E7484CCD6E69156FA5EC36D5DE087,SHA256=DB126AC525994FF483D3E871455338F9A82186978B0C54D0E750850F279B399B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:56.269{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BC3058BB01B204B3E8B2B6F33032C9,SHA256=D1B1CB1749D9E0D555D17FA27C3F07EC2691CCFFF6B55B31DD03B03E2663ECAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:57.623{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3030B44E70D1822FBE28F768B571177,SHA256=7F32CDECA1239B8990661512D9E3FD0BDD81728B7FDB55EF2C280A7535067EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:57.305{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E82178697CC470DA19C40CAE1DC24,SHA256=90849D3A6EECD5AA0E674B1672DF767A51A59C0E54DEF8EBAF4D7AACD21A3396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.935{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7C6F780BD35057ADBEC32C5B20F394,SHA256=ED9E0485F02C2314302D530C0BAD3F21C820C435D66FD22A7FC11553614E25C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:58.420{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F1ED108D367367AB4FC2F5985C04F,SHA256=B5568FD84257918F4DE4B6DEC0406038A943D58E24017E603DAD37666C91C384,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.327{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51248-false10.0.1.12-8000- 354300x800000000000000062658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:55.092{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51247-false10.0.1.12-8089- 10341000x800000000000000062657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:28:58.029{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1500-000000006B02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:59.450{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0602A3EA13B300A2804CA02166FB1B29,SHA256=4FCAF73D7D4B8C2694150A4ED08A7FC159971F330E2F86CBA4D5489873F76D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:57.316{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61631-false10.0.1.12-8000- 23542300x8000000000000000124310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:28:59.134{99CEBDD5-9A1A-62E7-2C00-000000006A02}2676NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=35F2103DA698B023B6CC7E9C8D5AB3A8,SHA256=1E88DCE9DDBE076548B4D0C6B5B8A6A2C1D0DDA788D95176EF684A0B47935687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:00.138{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C945085076769756C397C8B542EF9D6,SHA256=505B023BE27F6B27E27404A7689BD8D1636048DDA7B095A71BDF21F20C92C90C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-SetValue2022-08-01 11:29:00.702{99CEBDD5-9A0C-62E7-1200-000000006A02}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a599-0xe589e725) 23542300x8000000000000000124313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:00.465{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D789EA90ED29CC98173AF92A16ED846,SHA256=93834D6CEDE47C8BFE068083509A99E1CE38ADC5C79FBA05D20863D8BF95832A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:01.232{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BBDF5AB0CED3711D81F2599658E441,SHA256=FF080092CB50A5AD90E0F6FC310F8789968DD1D7B737D9BF5B9B3163EB682DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:01.582{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1D197ED9936125E5888A1DDFA3836F,SHA256=73A5B2055732F78DF18ABE0912DCBAEE41DF2F1BCAF04C9A9F989E5C15A2961B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:01.448{99CEBDD5-9A0C-62E7-1100-000000006A02}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0B0D4126C3E472498FDBA5CE66910747,SHA256=CE92F2B313719455C172116C389CEC61B76308BF045E14F262701781FF7C6452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:02.435{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C875F3128D146C2B1D4BFD3638F42361,SHA256=6B50F4CC555C88298C674C3347C4F2742C34BC19ECE8E282C116ECFC1810778D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.717{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964164CE9F7EDF0246B8E7AC637DE33,SHA256=992A44F7A09DBD0940589C730D71861DD10072496747126C54F892E766A758B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}4940416C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:02.201{99CEBDD5-9A41-62E7-8C00-000000006A02}49404340C:\Windows\Explorer.EXE{99CEBDD5-9A5B-62E7-A500-000000006A02}5712C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:03.654{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F54EDBA735DA1440DD9E12243EB2F7B,SHA256=4E4D105FE79F65C8EFDE40549CD8CDC80738D38484927F6BAD32E84DBCB78364,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:01.233{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51249-false10.0.1.12-8000- 23542300x8000000000000000124326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.762{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C1019D85113EF67FE01A53228DE7A0,SHA256=8129E4238F3EABC67999EB571074F355AD6A8695366CE4B839427B820CC5B574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.562{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=37925BAD6EC8890F44324857FF02C84C,SHA256=8B4BA21BA3A12E58838C040AA69E22D4DA63430E5EA45B33D5D7625FD8DEE835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:04.857{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88068260E1B552842255653C154BBBDD,SHA256=D251BE5EDD6E0AA0C540D236F93C2265D4A053876E2DF324475088D1A2C96CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:04.814{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8256AC0D094A8E6902BE1E7FEC734AD,SHA256=92E34009F7516639BC45E15D02F6C7AD9C4FF2DB137FE89AD912928CD25FA0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:03.211{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61632-false10.0.1.12-8000- 23542300x800000000000000062667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:05.951{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8822540851BA72DDD7A9CE56FB6CBBD,SHA256=C504BF72D44DB2DB49B04BE62102EF1EBF3298E86028346F7F9FD750768A0D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:05.859{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA46135D762D6D2C5950AE05F5EFE52E,SHA256=9BDF21BA81F44FB4CE634BC25C27A854B74A9096EDD70F110AB949DCCE8915E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:06.895{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3587D0D799C14781EB7626874551B1,SHA256=586517C37AF69A6996DBFC647E2906CC420FCCECB82ECE3796A77F973CF1072A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:06.717{6DD70E3E-B902-62E7-3804-000000006B02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:07.941{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F0D0BA925720EAEF12EC1250FB376,SHA256=F4CC2D4AC4C6F39F2DC9D07C75B8C16202FBC794D5BCFE8B41053CBFF5597C27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.888{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.889{6DD70E3E-B903-62E7-3A04-000000006B02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.841{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EE927881381BBEFC79498893D452AA,SHA256=7ECA67845F6125B326459C8228DEDF44674F409921FF9445DEBC738FC7630E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A05-62E7-0500-000000006B02}412940C:\Windows\system32\csrss.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.232{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.233{6DD70E3E-B903-62E7-3904-000000006B02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.045{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756C7E4593E99EC26709949F74E60893,SHA256=0A02DDE625BEE699E7C9DFB3D0EA0C2515C014C089FE48E7482DBBA10AF2195F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.974{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A75542E492666A99CF562D688A2A0E9,SHA256=7AFB7A6143184543359352D39C2CF1D18DBEFFC8482EF9181BC3C7BA3A5879C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.763{6DD70E3E-9A06-62E7-1F00-000000006B02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E16C06A74E6A7D717E11E3C321CC9E8A,SHA256=6657F8DF1DB96CCFD6F0587FEEE028E134AC8107ACB6C7DCFF403B69C9E65033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.248{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F1378DF676E7621CD82D2A5DB01D4D,SHA256=F848439F4CEC543C1FBCFC749E2F6BD75FF06DCC9515A7522FC277BC4853E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.824{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.cs@2022-08-01_112903MD5=EA416AF7B82503492E5F053A5BA6AEC2,SHA256=6BF5118FC2261DF1FFC184DC4036F8B57800BC8FC4557CDBCE21BB45AF4EC5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:08.824{99CEBDD5-9A5B-62E7-A500-000000006A02}5712ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.csMD5=EA20B9D4680A2804F8C11BE54F4A11F2,SHA256=4CA57EE73EFD72EBF6CAD7C767616E52EB5C11FFEE89E395C7AFDCAA81F5B623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:08.060{6DD70E3E-B903-62E7-3A04-000000006B02}39681672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000062713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:07.248{6DD70E3E-9A11-62E7-6000-000000006B02}3120C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-801.us-east-2.compute.internal51250-false10.0.1.12-8000- 23542300x800000000000000062712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:09.357{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA9F188293E4C203B0C034E3922DCD4,SHA256=B205572ACDE6DB62F2265854484A9FE8B0EC70CB5EAA23128429D043A66AF299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.451{6DD70E3E-9A18-62E7-6C00-000000006B02}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE4A5B1CC385E02327FC2365646FAAE,SHA256=6CC89F2E0784250265E90543554B1CB7CD8266AB7817FAD82B4F81A78BB1051D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:09.119{99CEBDD5-9A25-62E7-7000-000000006A02}3960C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14malware.com61633-false10.0.1.12-8000- 10341000x8000000000000000124336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:10.725{99CEBDD5-9BF7-62E7-F600-000000006A02}1644172C:\Program Files\Mozilla Firefox\firefox.exe{99CEBDD5-B58C-62E7-D104-000000006A02}2960C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+26830|C:\Program Files\Mozilla Firefox\xul.dll+e566c4|C:\Program Files\Mozilla Firefox\xul.dll+e56fa9|C:\Program Files\Mozilla Firefox\xul.dll+e57288|C:\Program Files\Mozilla Firefox\xul.dll+11ec43b|C:\Program Files\Mozilla Firefox\xul.dll+e53b07|C:\Program Files\Mozilla Firefox\xul.dll+12075c6|C:\Program Files\Mozilla Firefox\xul.dll+cd20e|C:\Program Files\Mozilla Firefox\xul.dll+c3de34|C:\Program Files\Mozilla Firefox\xul.dll+c3db6b|C:\Program Files\Mozilla Firefox\xul.dll+187a9aa|C:\Program Files\Mozilla Firefox\xul.dll+1849a1f|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+1849ebe|C:\Program Files\Mozilla Firefox\xul.dll+1c56c6b|C:\Program Files\Mozilla Firefox\xul.dll+1dafa00|C:\Program Files\Mozilla Firefox\xul.dll+184755d|C:\Program Files\Mozilla Firefox\xul.dll+19146a7|C:\Program Files\Mozilla Firefox\xul.dll+1b09163|C:\Program Files\Mozilla Firefox\xul.dll+1b002b9|C:\Program Files\Mozilla Firefox\xul.dll+1820265 23542300x8000000000000000124335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-506.attackrange.local-2022-08-01 11:29:10.010{99CEBDD5-9A2D-62E7-7A00-000000006A02}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90912DF386C477D6AF836DEE0D4868C4,SHA256=B30EDB222E6201A69868B739A7DE574CAF84A8D6BB4AA42EB1B7BA34BACA3F99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.373{6DD70E3E-B906-62E7-3B04-000000006B02}35563056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0500-000000006B02}412428C:\Windows\system32\csrss.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.169{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:10.170{6DD70E3E-B906-62E7-3B04-000000006B02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6DD70E3E-9A05-62E7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6DD70E3E-9A06-62E7-1F00-000000006B02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000062756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A07-62E7-2E00-000000006B02}28522872C:\Windows\system32\conhost.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0C00-000000006B02}7204016C:\Windows\system32\svchost.exe{6DD70E3E-9A06-62E7-1D00-000000006B02}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A05-62E7-0500-000000006B02}412524C:\Windows\system32\csrss.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-801-2022-08-01 11:29:11.966{6DD70E3E-9A06-62E7-1F00-000000006B02}20082896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6DD70E3E-B907-62E7-3D04-000000006B02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000